From bb9c788306c72eacb0338411703fe3e9043393fe Mon Sep 17 00:00:00 2001 From: Gabe Kangas Date: Sat, 3 Oct 2020 23:06:48 -0700 Subject: [PATCH] Support CORS+Basic auth together --- controllers/admin/inboundBroadcasterDetails.go | 3 --- router/middleware/auth.go | 15 ++++++++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/controllers/admin/inboundBroadcasterDetails.go b/controllers/admin/inboundBroadcasterDetails.go index fa20198f3..7abfe0e5c 100644 --- a/controllers/admin/inboundBroadcasterDetails.go +++ b/controllers/admin/inboundBroadcasterDetails.go @@ -7,13 +7,10 @@ import ( "github.com/gabek/owncast/controllers" "github.com/gabek/owncast/core" "github.com/gabek/owncast/models" - "github.com/gabek/owncast/router/middleware" ) // GetInboundBroadasterDetails gets the details of the inbound broadcaster func GetInboundBroadasterDetails(w http.ResponseWriter, r *http.Request) { - middleware.EnableCors(&w) - broadcaster := core.GetBroadcaster() if broadcaster == nil { controllers.WriteSimpleResponse(w, false, "no broadcaster connected") diff --git a/router/middleware/auth.go b/router/middleware/auth.go index e168b0ac9..13974ab1f 100644 --- a/router/middleware/auth.go +++ b/router/middleware/auth.go @@ -13,11 +13,24 @@ import ( func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc { username := "admin" password := config.Config.VideoSettings.StreamingKey + realm := "Owncast Authenticated Request" return func(w http.ResponseWriter, r *http.Request) { + // The following line is kind of a work around. + // If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the + // Access-Control-Allow-Origin header. So we just pull out the origin header and specify it. + // If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that. + w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) + w.Header().Set("Access-Control-Allow-Credentials", "true") + w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization") + + // For request needing CORS, send a 200. + if r.Method == "OPTIONS" { + w.WriteHeader(http.StatusOK) + return + } user, pass, ok := r.BasicAuth() - realm := "Owncast Authenticated Request" // Failed if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {