Home Esplora Aiuto
Registrati Accedi
gabrieldias
/
GoApi
1
1
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 34832cc581
Rami (Branch) Tag
GoApi
/
internal
/
middleware
/
hmac.go

hmac.go 2.0 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. package middleware
    2. 

  2. 

  3. import (
    4. 

  4.     "bytes"
    5. 

  5.     "crypto/hmac"
    6. 

  6.     "crypto/sha256"
    7. 

  7.     "encoding/hex"
    8. 

  8.     "io"
    9. 

  9.     "net/http"
    10. 

  10.     "strconv"
    11. 

  11.     "time"
    12. 

  12. )
    13. 

  13. 

  14. func HMACAuth(secret string) func(http.Handler) http.Handler {
    15. 

  15.     return func(next http.Handler) http.Handler {
    16. 

  16.         return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    17. 

  17.             ts := r.Header.Get("X-Timestamp")
    18. 

  18.             sig := r.Header.Get("X-Signature")
    19. 

  19.             if ts == "" || sig == "" {
    20. 

  20.                 http.Error(w, "Missing HMAC headers", http.StatusUnauthorized)
    21. 

  21.                 return
    22. 

  22.             }
    23. 

  23. 

  24.             unix, err := strconv.ParseInt(ts, 10, 64)
    25. 

  25.             if err != nil {
    26. 

  26.                 http.Error(w, "Invalid timestamp", http.StatusUnauthorized)
    27. 

  27.                 return
    28. 

  28.             }
    29. 

  29.             now := time.Now().Unix()
    30. 

  30.             const skew = int64(300) 
    31. 

  31.             if unix < now-skew || unix > now+skew {
    32. 

  32.                 http.Error(w, "Timestamp out of allowed range", http.StatusUnauthorized)
    33. 

  33.                 return
    34. 

  34.             }
    35. 

  35. 

  36.             var bodyBytes []byte
    37. 

  37.             if r.Body != nil {
    38. 

  38.                 bodyBytes, _ = io.ReadAll(r.Body)
    39. 

  39.             }
    40. 

  40.             r.Body = io.NopCloser(bytes.NewReader(bodyBytes))
    41. 

  41. 

  42.             msg := r.Method + "\n" + r.URL.Path + "\n" + ts + "\n" + string(bodyBytes)
    43. 

  43. 

  44.             mac := hmac.New(sha256.New, []byte(secret))
    45. 

  45.             mac.Write([]byte(msg))
    46. 

  46.             expected := mac.Sum(nil)
    47. 

  47.             expectedHex := hex.EncodeToString(expected)
    48. 

  48. 

  49.             provided, err := hex.DecodeString(sig)
    50. 

  50.             if err != nil {
    51. 

  51.                 http.Error(w, "Invalid signature encoding", http.StatusUnauthorized)
    52. 

  52.                 return
    53. 

  53.             }
    54. 

  54. 

  55.             if !hmac.Equal(expected, provided) && sig != expectedHex {
    56. 

  56.                 http.Error(w, "Invalid signature", http.StatusUnauthorized)
    57. 

  57.                 return
    58. 

  58.             }
    59. 

  59. 

  60.             next.ServeHTTP(w, r)
    61. 

  61.         })
    62. 

  62.     }
    63. 

  63. }
    64.