support authenticating with SHA-256 digest (#524)

2025-10-06 07:37:07 +08:00 · 2024-02-22 19:12:17 +01:00
parent c10f7aaedb
commit f040e20ac4
13 changed files with 241 additions and 120 deletions
--- a/pkg/auth/validate.go
+++ b/pkg/auth/validate.go
@@ -2,7 +2,7 @@ package auth

 import (
 	"crypto/md5"
-	"crypto/rand"
+	"crypto/sha256"
 	"encoding/hex"
 	"fmt"

@@ -16,41 +16,10 @@ func md5Hex(in string) string {
 	return hex.EncodeToString(h.Sum(nil))
 }

-// GenerateNonce generates a nonce that can be used in Validate().
-func GenerateNonce() (string, error) {
-	byts := make([]byte, 16)
-	_, err := rand.Read(byts)
-	if err != nil {
-		return "", err
-	}
-
-	return hex.EncodeToString(byts), nil
-}
-
-// GenerateWWWAuthenticate generates a WWW-Authenticate header.
-func GenerateWWWAuthenticate(methods []headers.AuthMethod, realm string, nonce string) base.HeaderValue {
-	if methods == nil {
-		methods = []headers.AuthMethod{headers.AuthBasic, headers.AuthDigest}
-	}
-
-	var ret base.HeaderValue
-	for _, m := range methods {
-		switch m {
-		case headers.AuthBasic:
-			ret = append(ret, (&headers.Authenticate{
-				Method: headers.AuthBasic,
-				Realm:  realm,
-			}).Marshal()...)
-
-		case headers.AuthDigest:
-			ret = append(ret, headers.Authenticate{
-				Method: headers.AuthDigest,
-				Realm:  realm,
-				Nonce:  nonce,
-			}.Marshal()...)
-		}
-	}
-	return ret
+func sha256Hex(in string) string {
+	h := sha256.New()
+	h.Write([]byte(in))
+	return hex.EncodeToString(h.Sum(nil))
 }

 func contains(list []headers.AuthMethod, item headers.AuthMethod) bool {
@@ -73,7 +42,7 @@ func Validate(
 	nonce string,
 ) error {
 	if methods == nil {
-		methods = []headers.AuthMethod{headers.AuthBasic, headers.AuthDigest}
+		methods = []headers.AuthMethod{headers.AuthDigestSHA256, headers.AuthDigestMD5, headers.AuthBasic}
 	}

 	var auth headers.Authorization
@@ -83,15 +52,8 @@ func Validate(
 	}

 	switch {
-	case auth.Method == headers.AuthBasic && contains(methods, headers.AuthBasic):
-		if auth.BasicUser != user {
-			return fmt.Errorf("authentication failed")
-		}
-
-		if auth.BasicPass != pass {
-			return fmt.Errorf("authentication failed")
-		}
-	case auth.Method == headers.AuthDigest && contains(methods, headers.AuthDigest):
+	case (auth.Method == headers.AuthDigestSHA256 && contains(methods, headers.AuthDigestSHA256)) ||
+		(auth.Method == headers.AuthDigestMD5 && contains(methods, headers.AuthDigestMD5)):
 		if auth.Nonce != nonce {
 			return fmt.Errorf("wrong nonce")
 		}
@@ -119,12 +81,29 @@ func Validate(
 			}
 		}

-		response := md5Hex(md5Hex(user+":"+realm+":"+pass) +
-			":" + nonce + ":" + md5Hex(string(req.Method)+":"+ur.String()))
+		var response string
+
+		if auth.Method == headers.AuthDigestSHA256 {
+			response = sha256Hex(sha256Hex(user+":"+realm+":"+pass) +
+				":" + nonce + ":" + sha256Hex(string(req.Method)+":"+ur.String()))
+		} else {
+			response = md5Hex(md5Hex(user+":"+realm+":"+pass) +
+				":" + nonce + ":" + md5Hex(string(req.Method)+":"+ur.String()))
+		}

 		if auth.Response != response {
 			return fmt.Errorf("authentication failed")
 		}
+
+	case auth.Method == headers.AuthBasic && contains(methods, headers.AuthBasic):
+		if auth.BasicUser != user {
+			return fmt.Errorf("authentication failed")
+		}
+
+		if auth.BasicPass != pass {
+			return fmt.Errorf("authentication failed")
+		}
+
 	default:
 		return fmt.Errorf("no supported authentication methods found")
 	}