auth.go

package admin

import (

	"crypto/subtle"

	"html/template"

	"net/http"

	"strings"

	"go.bigb.es/curator/internal/oidcauth"

)

// AuthMiddleware protects admin routes with admin token and/or OIDC.

// Supports Bearer token in Authorization header, cookie-based sessions,

// and OIDC session cookies.

func AuthMiddleware(adminToken string, oidcProvider *oidcauth.Provider, next http.Handler) http.Handler {

	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

		if adminToken == "" && oidcProvider == nil {

			http.Error(w, "admin access not configured", http.StatusForbidden)

			return

		}

		// Check Authorization: Bearer header (admin token).

		if adminToken != "" {

			if auth := r.Header.Get("Authorization"); auth != "" {

				if token, ok := strings.CutPrefix(auth, "Bearer "); ok {

					if subtle.ConstantTimeCompare([]byte(token), []byte(adminToken)) == 1 {

						next.ServeHTTP(w, r)

						return

					}

				}

			}

		}

		// Check curator_admin cookie (admin token session).

		if adminToken != "" {

			if cookie, err := r.Cookie("curator_admin"); err == nil {

				if subtle.ConstantTimeCompare([]byte(cookie.Value), []byte(adminToken)) == 1 {

					next.ServeHTTP(w, r)

					return

				}

			}

		}

		// Check curator_session cookie (OIDC session).

		if oidcProvider != nil {

			if cookie, err := r.Cookie("curator_session"); err == nil {

				if email := oidcProvider.ValidateSession(cookie.Value); email != "" {

					next.ServeHTTP(w, r)

					return

				}

			}

		}

		// Handle login page.

		if r.URL.Path == "/-/admin/login" {

			// If only OIDC is configured (no admin_token), redirect straight to OIDC.

			if adminToken == "" && oidcProvider != nil {

				http.Redirect(w, r, "/-/oidc/login", http.StatusSeeOther)

				return

			}

			returnURL := r.URL.Query().Get("return")

			if adminToken != "" && r.Method == http.MethodPost {

				token := r.FormValue("token")

				// Return URL from hidden form field (POST doesn't carry query params).

				if ret := r.FormValue("return"); ret != "" {

					returnURL = ret

				}

				if subtle.ConstantTimeCompare([]byte(token), []byte(adminToken)) == 1 {

					http.SetCookie(w, &http.Cookie{

						Name:     "curator_admin",

						Value:    adminToken,

						Path:     "/-/",

						HttpOnly: true,

						SameSite: http.SameSiteStrictMode,

					})

					http.SetCookie(w, &http.Cookie{

						Name:     "curator_auth",

						Value:    adminToken,

						Path:     "/",

						HttpOnly: true,

						SameSite: http.SameSiteStrictMode,

					})

					if returnURL == "" || !strings.HasPrefix(returnURL, "/") {

						returnURL = "/-/admin/"

					}

					http.Redirect(w, r, returnURL, http.StatusSeeOther)

					return

				}

				w.WriteHeader(http.StatusUnauthorized)

				renderLogin(w, "Invalid token", oidcProvider != nil, returnURL)

				return

			}

			renderLogin(w, "", oidcProvider != nil, returnURL)

			return

		}

		// Redirect to login for browser requests.

		if strings.HasPrefix(r.URL.Path, "/-/admin/") {

			// If only OIDC configured, go straight to OIDC.

			if adminToken == "" && oidcProvider != nil {

				http.Redirect(w, r, "/-/oidc/login", http.StatusSeeOther)

				return

			}

			http.Redirect(w, r, "/-/admin/login", http.StatusSeeOther)

			return

		}

		// API requests get 401.

		w.Header().Set("WWW-Authenticate", `Bearer realm="curator admin"`)

		http.Error(w, "unauthorized", http.StatusUnauthorized)

	})

}

func renderLogin(w http.ResponseWriter, errMsg string, hasOIDC bool, returnURL string) {

	w.Header().Set("Content-Type", "text/html; charset=utf-8")

	page := `<!DOCTYPE html>

<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1">

<title>Curator Login</title>

<style>

:root{--bg:#fff;--text:#202124;--border:#dadce0;--accent:#1a73e8;--err:#d93025}

@media(prefers-color-scheme:dark){:root{--bg:#1e1e1e;--text:#d4d4d4;--border:#404040;--accent:#6cb6ff;--err:#f28b82}}

*{box-sizing:border-box;margin:0;padding:0}

body{font-family:system-ui,sans-serif;background:var(--bg);color:var(--text);display:flex;justify-content:center;align-items:center;min-height:100vh}

.login{border:1px solid var(--border);border-radius:8px;padding:32px;max-width:360px;width:100%}

h1{font-size:20px;margin-bottom:16px}

input[type=password]{display:block;width:100%;padding:10px 12px;border:1px solid var(--border);border-radius:4px;font-size:14px;margin-bottom:16px;background:var(--bg);color:var(--text)}

button{background:var(--accent);color:#fff;border:none;padding:10px 24px;border-radius:4px;font-size:14px;cursor:pointer;width:100%}

button:hover{opacity:0.9}

.err{color:var(--err);font-size:13px;margin-bottom:12px}

.divider{text-align:center;color:var(--border);margin:16px 0;font-size:13px}

.sso-btn{background:transparent;color:var(--accent);border:1px solid var(--accent);margin-top:0}

.sso-btn:hover{background:var(--accent);color:#fff}

</style></head><body>

<div class="login"><h1>Curator</h1>`

	if errMsg != "" {

		page += `<p class="err">` + errMsg + `</p>`

	}

	page += `<form method="POST" action="/-/admin/login">

<input type="hidden" name="return" value="` + template.HTMLEscapeString(returnURL) + `">

<input type="password" name="token" placeholder="Token" autofocus required>

<button type="submit">Login</button>

</form>`

	if hasOIDC {

		page += `<div class="divider">— or —</div>

<a href="/-/oidc/login"><button type="button" class="sso-btn">Login with SSO</button></a>`

	}

	page += `</div></body></html>`

	w.Write([]byte(page))

}