diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2020-04-07 20:39:13 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-07 20:39:13 -0600 |
commit | fbd9515d3523a24e83b0e671f2fc0e17dcdd9b19 (patch) | |
tree | 592bf74a6ee4776f45d6c2893dac948ffdc2098b /modules/caddyhttp | |
parent | 95f6bd7e5ca1450d95405665ee3fb7aa1adc5228 (diff) |
basicauth: Re-prompt after invalid credentials (fix #3239) (#3240)
Diffstat (limited to 'modules/caddyhttp')
-rw-r--r-- | modules/caddyhttp/caddyauth/basicauth.go | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/modules/caddyhttp/caddyauth/basicauth.go b/modules/caddyhttp/caddyauth/basicauth.go index 50fbed9..b4cf838 100644 --- a/modules/caddyhttp/caddyauth/basicauth.go +++ b/modules/caddyhttp/caddyauth/basicauth.go @@ -105,20 +105,8 @@ func (hba *HTTPBasicAuth) Provision(ctx caddy.Context) error { // Authenticate validates the user credentials in req and returns the user, if valid. func (hba HTTPBasicAuth) Authenticate(w http.ResponseWriter, req *http.Request) (User, bool, error) { username, plaintextPasswordStr, ok := req.BasicAuth() - - // if basic auth is missing or invalid, prompt for credentials if !ok { - // browsers show a message that says something like: - // "The website says: <realm>" - // which is kinda dumb, but whatever. - realm := hba.Realm - if realm == "" { - realm = "restricted" - } - - w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s"`, realm)) - - return User{}, false, nil + return hba.promptForCredentials(w, nil) } plaintextPassword := []byte(plaintextPasswordStr) @@ -129,15 +117,27 @@ func (hba HTTPBasicAuth) Authenticate(w http.ResponseWriter, req *http.Request) same, err := hba.Hash.Compare(account.password, plaintextPassword, account.salt) if err != nil { - return User{}, false, err + return hba.promptForCredentials(w, err) } if !same || !accountExists { - return User{}, false, nil + return hba.promptForCredentials(w, nil) } return User{ID: username}, true, nil } +func (hba HTTPBasicAuth) promptForCredentials(w http.ResponseWriter, err error) (User, bool, error) { + // browsers show a message that says something like: + // "The website says: <realm>" + // which is kinda dumb, but whatever. + realm := hba.Realm + if realm == "" { + realm = "restricted" + } + w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s"`, realm)) + return User{}, false, err +} + // Comparer is a type that can securely compare // a plaintext password with a hashed password // in constant-time. Comparers should hash the |