diff options
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/admin/server.go | 71 |
1 files changed, 30 insertions, 41 deletions
diff --git a/internal/admin/server.go b/internal/admin/server.go index 948e97e..410560f 100644 --- a/internal/admin/server.go +++ b/internal/admin/server.go @@ -83,52 +83,41 @@ func (s *Server) Engine() *gin.Engine { return s.engine } -// ServeHTTP implements http.Handler. Expected to be mounted with a stripped -// prefix, e.g.: http.StripPrefix("/admin", srv) -func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { - if !s.checkAuth(w, r) { - return - } - - if s.tmpl == nil { - s.tmpl = mustParseTemplates() - } +// authMiddleware returns a Gin middleware that validates Basic Auth credentials. +func (s *Server) authMiddleware() gin.HandlerFunc { + return func(c *gin.Context) { + // Skip auth if no auth file is configured + if s.AuthFile == "" { + c.Next() + return + } - path := strings.TrimRight(r.URL.Path, "/") + // Skip auth if auth file doesn't exist + if _, err := os.Stat(s.AuthFile); os.IsNotExist(err) { + c.Next() + return + } - switch { - case path == "" || path == "/": - s.handleList(w, r) - case path == "/new": - s.handleNew(w, r) - case strings.HasSuffix(path, "/edit"): - slug := strings.TrimPrefix(strings.TrimSuffix(path, "/edit"), "/") - s.handleEdit(w, r, slug) - case strings.HasSuffix(path, "/delete"): - slug := strings.TrimPrefix(strings.TrimSuffix(path, "/delete"), "/") - s.handleDelete(w, r, slug) - default: - http.NotFound(w, r) - } -} + // Extract Basic Auth credentials + username, password, ok := c.Request.BasicAuth() + if !ok { + c.Header("WWW-Authenticate", `Basic realm="Admin"`) + c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"}) + return + } -func (s *Server) checkAuth(w http.ResponseWriter, r *http.Request) bool { - if s.AuthFile == "" { - return false - } - if _, err := os.Stat(s.AuthFile); os.IsNotExist(err) { - return false - } - a := auth.New(s.AuthFile) - username, password, ok := r.BasicAuth() - if ok { - if valid, err := a.Verify(username, password); err == nil && valid { - return true + // Verify credentials + a := auth.New(s.AuthFile) + valid, err := a.Verify(username, password) + if err != nil || !valid { + c.Header("WWW-Authenticate", `Basic realm="Admin"`) + c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"}) + return } + + // Auth succeeded, continue + c.Next() } - w.Header().Set("WWW-Authenticate", `Basic realm="Admin"`) - http.Error(w, "Unauthorised", http.StatusUnauthorized) - return false } // ── Handlers ───────────────────────────────────────────────────────────────── |