Authenticate validates the user credentials in req and returns the user, if valid.
(w http.ResponseWriter, req *http.Request)
| 141 | |
| 142 | // Authenticate validates the user credentials in req and returns the user, if valid. |
| 143 | func (hba HTTPBasicAuth) Authenticate(w http.ResponseWriter, req *http.Request) (User, bool, error) { |
| 144 | username, plaintextPasswordStr, ok := req.BasicAuth() |
| 145 | if !ok { |
| 146 | return hba.promptForCredentials(w, nil) |
| 147 | } |
| 148 | |
| 149 | account, accountExists := hba.Accounts[username] |
| 150 | if !accountExists { |
| 151 | // don't return early if account does not exist; we want |
| 152 | // to try to avoid side-channels that leak existence, so |
| 153 | // we use a fake password to simulate realistic CPU cycles |
| 154 | account.password = hba.fakePassword |
| 155 | } |
| 156 | |
| 157 | same, err := hba.correctPassword(account, []byte(plaintextPasswordStr)) |
| 158 | if err != nil || !same || !accountExists { |
| 159 | return hba.promptForCredentials(w, err) |
| 160 | } |
| 161 | |
| 162 | return User{ID: username}, true, nil |
| 163 | } |
| 164 | |
| 165 | func (hba HTTPBasicAuth) correctPassword(account Account, plaintextPassword []byte) (bool, error) { |
| 166 | compare := func() (bool, error) { |
nothing calls this directly
no test coverage detected