From 6b024dd763299a5310da7fc48e4fa90b97c66969 Mon Sep 17 00:00:00 2001
From: Vladislav Yarmak <vladislav@vm-0.com>
Date: Sun, 24 May 2020 18:26:23 +0300
Subject: [PATCH] auth: hidden_auth option

---
 auth.go | 43 ++++++++++++++++++++++++++-----------------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/auth.go b/auth.go
index 3ae0bf7..73e288f 100644
--- a/auth.go
+++ b/auth.go
@@ -33,49 +33,58 @@ func NewAuth(paramstr string) (Auth, error) {
     }
 }
 
-type StaticAuth string
+type StaticAuth struct {
+    token string
+    hiddenDomain string
+}
 
-func NewStaticAuth(param_url *url.URL) (StaticAuth, error) {
+func NewStaticAuth(param_url *url.URL) (*StaticAuth, error) {
     values, err := url.ParseQuery(param_url.RawQuery)
     if err != nil {
-        return StaticAuth(""), err
+        return nil, err
     }
     username := values.Get("username")
     if username == "" {
-        return StaticAuth(""), errors.New("\"username\" parameter is missing from auth config URI")
+        return nil, errors.New("\"username\" parameter is missing from auth config URI")
     }
     password := values.Get("password")
     if password == "" {
-        return StaticAuth(""), errors.New("\"password\" parameter is missing from auth config URI")
+        return nil, errors.New("\"password\" parameter is missing from auth config URI")
     }
-    return StaticAuth(base64.StdEncoding.EncodeToString(
-        []byte(username + ":" + password))), nil
+    return &StaticAuth{
+        token: base64.StdEncoding.EncodeToString([]byte(username + ":" + password)),
+        hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
+    }, nil
 }
 
-func requireBasicAuth(wr http.ResponseWriter) {
-    wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`)
-    wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG))))
-    wr.WriteHeader(407)
-    wr.Write([]byte(AUTH_REQUIRED_MSG))
+func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain string) {
+    if hidden_domain != "" && req.URL.Host != hidden_domain && req.Host != hidden_domain {
+        http.Error(wr, "Bad Request", http.StatusBadRequest)
+    } else {
+        wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`)
+        wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG))))
+        wr.WriteHeader(407)
+        wr.Write([]byte(AUTH_REQUIRED_MSG))
+    }
 }
 
-func (auth StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
+func (auth *StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
     hdr := req.Header.Get("Proxy-Authorization")
     if hdr == "" {
-        requireBasicAuth(wr)
+        requireBasicAuth(wr, req, auth.hiddenDomain)
         return false
     }
     hdr_parts := strings.SplitN(hdr, " ", 2)
     if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
-        requireBasicAuth(wr)
+        requireBasicAuth(wr, req, auth.hiddenDomain)
         return false
     }
     token := hdr_parts[1]
-    ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth)) == 1)
+    ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth.token)) == 1)
     if ok {
         return true
     } else {
-        requireBasicAuth(wr)
+        requireBasicAuth(wr, req, auth.hiddenDomain)
         return false
     }
 }