server

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 22, 2022 License: GPL-3.0 Imports: 5 Imported by: 0

README

echo middleware

This folder contains middleware for echo router

This middleware only ensure signature is legit. Alone, the signature is not enought, here are a few recommandation:

  • your user should include a timestamp in the signed data, that way you can prevent message re-play
  • you should not use the user password as signing key, except on loggin. When the user login, provide the user a session ID and key, with a peremption date. Following request should use that session key. Doing so:
    • The user can logout by invalidating the session
    • If the session happen to be compromised, revoking the session will prevent any unwanted action from any third party
    • Changing the session key frequently reduce risk, if a third-party manage to get the key, it will only be valid for a limit period of time

Here is an example usage:

import hmacMiddleware "gitlab.bad-wolf.fr/wolf/hmac/middleware/echo"

ksm := func(c echo.Context) (key []byte, signature []byte, err error) {
    signatureB64 := c.Request().Header.Get("X-Signature")
    return []byte("dummyKey"), []byte(signatureB64), err
}

signer := hmac.NewSigner(
    hmac.SignerWithHashFunction(sha256.New),
    hmac.SignerWithRequestEncoder(templateEncoder),
    hmac.SignerWithSignatureEncoder(
        func(b []byte) ([]byte, error) {
            return []byte(base64.StdEncoding.EncodeToString(b)), nil
        },
    ),
)

e := echo.New()
auth := e.Group("/auth", hmacMiddleware.SignatureChecker(signer, ksm, true))

The ksm var contains a function used by the hmacMiddleware.SignatureChecker to retrieve the signature from a request and the key associated to the said request. Here the signature is in the X-Signature header. The key is static, but may for example be linked to a user-id from header.

In this example hmacMiddleware.SignatureChecker(signer, ksm, true) the signatureRequired is set to false, which means that an unauthenticated user may perform requests. Your handler can use the hmacMiddleware.SignatureOK(c) function to know if the calling user is authenticated or not. Furthermore, you can, use hmacMiddleware.SignatureEnforce() to enforce the signature validation on specific route of a group, event thought the signatureRequired was set to false.

Documentation

Index

Constants

View Source 
const (
	KeySignatureOK = "hmac-signature-ok"
)

Variables

This section is empty.

Functions

func SignatureChecker 

func SignatureChecker(signer hmac.Signer, ksg KeySignatureGetter, signatureRequired bool) echo.MiddlewareFunc

SignatureChecker read the signature from a request and ensure it is legit This should be the first step on an authentication root If no error is returned by the KeySignatureGetter and key/signature are nil, the middleware will let the request in unless signatureRequired is true in the

func SignatureEnforce 

func SignatureEnforce() echo.MiddlewareFunc

SignatureEnforce is to be used after SignatureChecker to enforce a signature on a route, even though SignatureChecker signatureRequired params was false

func SignatureOK 

func SignatureOK(c echo.Context) bool

Types

type KeySignatureGetter 

type KeySignatureGetter func(c echo.Context) (key, signature []byte, err error)

KeySignatureGetter return the key and signature associated to a given request

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.