package middleware import ( "crypto/subtle" "net/http" "strings" "github.com/owncast/owncast/core/data" "github.com/owncast/owncast/core/user" "github.com/owncast/owncast/utils" log "github.com/sirupsen/logrus" ) // ExternalAccessTokenHandlerFunc is a function that is called after validing access. type ExternalAccessTokenHandlerFunc func(user.ExternalAPIUser, http.ResponseWriter, *http.Request) // UserAccessTokenHandlerFunc is a function that is called after validing user access. type UserAccessTokenHandlerFunc func(user.User, http.ResponseWriter, *http.Request) // RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given // the stream key as the password and and a hardcoded "admin" for username. func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { username := "admin" password := data.GetAdminPassword() realm := "Owncast Authenticated Request" // The following line is kind of a work around. // If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the // Access-Control-Allow-Origin header. So we just pull out the origin header and specify it. // If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that. w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) w.Header().Set("Access-Control-Allow-Credentials", "true") w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization") // For request needing CORS, send a 204. if r.Method == "OPTIONS" { w.WriteHeader(http.StatusNoContent) return } user, pass, ok := r.BasicAuth() // Failed if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 { w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`) http.Error(w, "Unauthorized", http.StatusUnauthorized) log.Debugln("Failed admin authentication") return } handler(w, r) } } func accessDenied(w http.ResponseWriter) { w.WriteHeader(http.StatusUnauthorized) //nolint w.Write([]byte("unauthorized")) //nolint } // RequireExternalAPIAccessToken will validate a 3rd party access token. func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // We should accept 3rd party preflight OPTIONS requests. if r.Method == "OPTIONS" { // All OPTIONS requests should have a wildcard CORS header. w.Header().Set("Access-Control-Allow-Origin", "*") w.WriteHeader(http.StatusNoContent) return } authHeader := r.Header.Get("Authorization") token := "" if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") { token = authHeader[len("bearer "):] } if token == "" { log.Warnln("invalid access token") accessDenied(w) return } integration, err := user.GetExternalAPIUserForAccessTokenAndScope(token, scope) if integration == nil || err != nil { accessDenied(w) return } // All auth'ed 3rd party requests should have a wildcard CORS header. w.Header().Set("Access-Control-Allow-Origin", "*") handler(*integration, w, r) if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil { log.Debugln("token not found when updating last_used timestamp") } }) } // RequireUserAccessToken will validate a provided user's access token and make sure the associated user is enabled. // Not to be used for validating 3rd party access. func RequireUserAccessToken(handler UserAccessTokenHandlerFunc) http.HandlerFunc { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { accessToken := r.URL.Query().Get("accessToken") if accessToken == "" { accessDenied(w) return } ipAddress := utils.GetIPAddressFromRequest(r) // Check if this client's IP address is banned. if blocked, err := data.IsIPAddressBanned(ipAddress); blocked { log.Debugln("Client ip address has been blocked. Rejecting.") accessDenied(w) return } else if err != nil { log.Errorln("error determining if IP address is blocked: ", err) } // A user is required to use the websocket user := user.GetUserByToken(accessToken) if user == nil || !user.IsEnabled() { accessDenied(w) return } handler(*user, w, r) }) } // RequireUserModerationScopeAccesstoken will validate a provided user's access token and make sure the associated user is enabled // and has "MODERATOR" scope assigned to the user. func RequireUserModerationScopeAccesstoken(handler http.HandlerFunc) http.HandlerFunc { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { accessToken := r.URL.Query().Get("accessToken") if accessToken == "" { accessDenied(w) return } // A user is required to use the websocket user := user.GetUserByToken(accessToken) if user == nil || !user.IsEnabled() || !user.IsModerator() { accessDenied(w) return } handler(w, r) }) }