Init

README.md

+# `auth-server` HTTP proxy
+
+This is a simple service to proxy authentication requests from an HTTP enabled
+service to the local `auth-server`. It binds on a port (defaulting to `4041`)
+only on `127.0.0.1` and tries to connect to the default unix socket of the
+`auth-server`.
+The request should be a POST with the following payload
+
+```json
+{
+    "username": "my.user@autistici.org",
+    "password": "guesswhat"
+}
+```
+
+If successful, 200 with no body is returned, 403 otherwise.

go.mod

+module git.autistici.org/id/auth-server-http-proxy
+
+go 1.18
+
+require git.autistici.org/id/auth v0.0.0-20220205154055-722a4f1509a9
+
+require (
+	git.autistici.org/id/usermetadb v0.0.0-20210507085300-ad16aa223703 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cloudflare/cfssl v0.0.0-20190726000631-633726f6bcb7 // indirect
+	github.com/duo-labs/webauthn v0.0.0-20220122034320-81aea484c951 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/golang-jwt/jwt/v4 v4.1.0 // indirect
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/certificate-transparency-go v1.0.21 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.1.2 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/theckman/go-flock v0.8.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838 // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+)

main.go

+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+
+	"git.autistici.org/id/auth"
+	"git.autistici.org/id/auth/client"
+)
+
+const defaultPort = 4041
+
+func main() {
+	var port = flag.Int("port", defaultPort, "A port to bind to on the specified addresses")
+	flag.Parse()
+
+	if flag.NArg() != 1 {
+		log.Fatal("Expected exactly one service name")
+	}
+
+	service := flag.Args()[0]
+
+	log.Fatal(http.ListenAndServe(
+		fmt.Sprintf("127.0.0.1:%d", *port),
+		http.HandlerFunc(authHandlerFunc(service))))
+}
+
+type authPayload struct {
+	User string `json:"username"`
+	Pass string `json:"password"`
+}
+
+func authHandlerFunc(service string) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var p authPayload
+		err := json.NewDecoder(r.Body).Decode(&p)
+		if err != nil {
+			log.Printf("malformed request: %s", err)
+			http.Error(w, "malformed request", http.StatusBadRequest)
+			return
+		}
+
+		c := client.New(client.DefaultSocketPath)
+		resp, err := c.Authenticate(r.Context(), &auth.Request{
+			Service:  service,
+			Username: p.User,
+			Password: []byte(p.Pass),
+		})
+		if err != nil {
+			log.Printf("auth error: %s", err)
+			http.Error(w, "internal server error", http.StatusInternalServerError)
+			return
+		}
+		switch resp.Status {
+		case auth.StatusOK:
+			w.WriteHeader(http.StatusOK)
+			return
+		case auth.StatusInsufficientCredentials:
+			http.Error(w, "wrong credentials", http.StatusForbidden)
+			return
+		case auth.StatusError:
+			http.Error(w, "internal server error", http.StatusInternalServerError)
+			return
+		}
+	}
+}