protect certificate handler

1 files changed, 34 insertions, 4 deletions

diff --git a/pkg/auth/middleware.go b/pkg/auth/middleware.go
index a3a955c..5fe0ab7 100644
--- a/pkg/auth/middleware.go
+++ b/pkg/auth/middleware.go
@@ -1,12 +1,42 @@
 package auth
 
-import ()
-
 import (
+	"0xacab.org/leap/vpnweb/pkg/web"
 	"github.com/auth0/go-jwt-middleware"
 	jwt "github.com/dgrijalva/jwt-go"
+	"log"
+	"net/http"
 )
 
-func getProtectedHandler() {
-	jwtMiddleware.Handler(CertHandler)
+const anonAuth string = "anon"
+const sipAuth string = "sip"
+
+var jwtSecret = []byte("somethingverysecret")
+
+func getHandler(ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) {
+	return ch.CertResponder
+}
+
+//func AuthMiddleware(auth string, ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) {
+func AuthMiddleware(auth string, ch web.CertHandler) http.Handler {
+
+	jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{
+		ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
+			return jwtSecret, nil
+		},
+		// When set, the middleware verifies that tokens are signed with the specific signing algorithm
+		// If the signing method is not constant the ValidationKeyGetter callback can be used to implement additional checks
+		// Important to avoid security issues described here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+		SigningMethod: jwt.SigningMethodHS256,
+	})
+
+	switch auth {
+	case anonAuth:
+		return http.HandlerFunc(ch.CertResponder)
+	case sipAuth:
+		return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder))
+	default:
+		log.Fatal("Unknown auth module: '", auth, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".")
+	}
+	return nil
 }