diff --git a/auth.go b/auth.go index 3ae0bf7..73e288f 100644 --- a/auth.go +++ b/auth.go @@ -33,49 +33,58 @@ func NewAuth(paramstr string) (Auth, error) { } } -type StaticAuth string +type StaticAuth struct { + token string + hiddenDomain string +} -func NewStaticAuth(param_url *url.URL) (StaticAuth, error) { +func NewStaticAuth(param_url *url.URL) (*StaticAuth, error) { values, err := url.ParseQuery(param_url.RawQuery) if err != nil { - return StaticAuth(""), err + return nil, err } username := values.Get("username") if username == "" { - return StaticAuth(""), errors.New("\"username\" parameter is missing from auth config URI") + return nil, errors.New("\"username\" parameter is missing from auth config URI") } password := values.Get("password") if password == "" { - return StaticAuth(""), errors.New("\"password\" parameter is missing from auth config URI") + return nil, errors.New("\"password\" parameter is missing from auth config URI") } - return StaticAuth(base64.StdEncoding.EncodeToString( - []byte(username + ":" + password))), nil + return &StaticAuth{ + token: base64.StdEncoding.EncodeToString([]byte(username + ":" + password)), + hiddenDomain: strings.ToLower(values.Get("hidden_domain")), + }, nil } -func requireBasicAuth(wr http.ResponseWriter) { - wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`) - wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG)))) - wr.WriteHeader(407) - wr.Write([]byte(AUTH_REQUIRED_MSG)) +func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain string) { + if hidden_domain != "" && req.URL.Host != hidden_domain && req.Host != hidden_domain { + http.Error(wr, "Bad Request", http.StatusBadRequest) + } else { + wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`) + wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG)))) + wr.WriteHeader(407) + wr.Write([]byte(AUTH_REQUIRED_MSG)) + } } -func (auth StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { +func (auth *StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { hdr := req.Header.Get("Proxy-Authorization") if hdr == "" { - requireBasicAuth(wr) + requireBasicAuth(wr, req, auth.hiddenDomain) return false } hdr_parts := strings.SplitN(hdr, " ", 2) if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" { - requireBasicAuth(wr) + requireBasicAuth(wr, req, auth.hiddenDomain) return false } token := hdr_parts[1] - ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth)) == 1) + ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth.token)) == 1) if ok { return true } else { - requireBasicAuth(wr) + requireBasicAuth(wr, req, auth.hiddenDomain) return false } }