Author: Adam <git@apiote.xyz>
check POST authorization
password.sh | 23 +++++++++++++++++++++++ server2.sh | 39 ++++++++++++++++++++++++++++++++++++---
diff --git a/password.sh b/password.sh new file mode 100755 index 0000000000000000000000000000000000000000..f7f5420d6d1cae05b8b17341848d1907ad6808c6 --- /dev/null +++ b/password.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +encode() { + if [ -z "$1" ] + then + salt=$(dd if=/dev/urandom count=7 bs=1 2>/dev/null | base32 | tr -d '=') + else + salt=$1 + fi + cat - | argon2 "$salt" -id -t 3 -m 12 -p 1 -l 32 -e +} + +verify() { + stored=$1 + salt=$(echo "$stored" | cut -d '$' -f 5 | base64 -d) + tested=$(cat - | encode "$salt") + test "$stored" = "$tested" +} + +if [ "$(basename "$0")" = 'password.sh' ] +then + cat - | encode "$1" +fi diff --git a/server2.sh b/server2.sh index 876f32b7a1402a6c600756af8852f1972a9b4e0a..1d64f38d22ecb3f09e152f4d45b3007a10cee45f 100755 --- a/server2.sh +++ b/server2.sh @@ -4,6 +4,7 @@ # Based on server by Upper Stream (c) 2017, MIT license . start.sh . get.sh +. password.sh set -e @@ -65,6 +66,18 @@ printf "HTTP/1.1 202 Accepted\r\nContent-Length: %s\r\nLocation: /toys/%s/%s\r\n\r\n%s\r\n" "${#message}" "$name" "$item" "$message" > "$fifo1" printf "202 -" } +respond401() { + message="" + printf "HTTP/1.1 401 Unauthorized\r\nContent-Length: %s\r\n\r\n%s\r\n" "${#message}" "$message" > "$fifo1" + printf "401 -" +} + +respond403() { + message="" + printf "HTTP/1.1 403 Forbidden\r\nContent-Length: %s\r\n\r\n%s\r\n" "${#message}" "$message" > "$fifo1" + printf "403 -" +} + respond404() { path=$1 # todo template @@ -86,9 +99,25 @@ printf "HTTP/1.1 500 Internal Server Error\r\nContent-Length: %s\r\n\r\n%s\r\n" "${#message}" "$message" > "$fifo1" printf "500 -" } +check_auth() { + authorization=$1 + stored=$(cat password) + if [ -z "$stored" ] || [ -z "$authorization" ] + then + respond401 + return 1 + fi + if ! printf '%s' "$authorization" | verify "$stored" + then + respond403 + return 1 + fi +} + execute() { method="$1" path="$2" + authorization="$3" toys=$(field "$path" 2) if [ "$toys" != 'toys' ] then @@ -134,6 +163,8 @@ respond404 "$path" fi ;; POST) + check_auth "$authorization" || return + toy=$(field "$path" 3) if [ "$(slashes "$path")" -ne 3 ] || [ -n "$(field "$path" 4)" ] then @@ -177,12 +208,14 @@ ;; Host:*) host=${line#Host: } ;; - # Authorization + Authorization:*) + authorization=${line#Authorization: } + ;; *:*) ;; "") date=$(date +'%d/%m/%Y:%H:%M:%S %z') - status_length=$(execute "$method" "$path") + status_length=$(execute "$method" "$path" "$authorization") printf "%s %s \"http://%s%s\" %s\n" "$date" "$method" "$host" "$path" "$status_length" trap - INT exit @@ -194,7 +227,7 @@ done } # dependency verification -for cmd in nc; do +for cmd in nc argon2 podman; do command -v $cmd >/dev/null || { echo "$0: \`$cmd\` not found"; exit 2; } done