1 // Licensed under the Apache License, Version 2.0 (the "License"); you may not 2 // use this file except in compliance with the License. You may obtain a copy of 3 // the License at 4 // 5 // http://www.apache.org/licenses/LICENSE-2.0 6 // 7 // Unless required by applicable law or agreed to in writing, software 8 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 // License for the specific language governing permissions and limitations under 11 // the License. 12 13 // Package auth provides authentication and authorization for the server. 14 package auth 15 16 import ( 17 "net/http" 18 ) 19 20 // CouchDB system roles. 21 const ( 22 RoleAdmin = "_admin" 23 RoleReader = "_reader" 24 RoleWriter = "_writer" 25 RoleReplicator = "_replicator" 26 RoleDBUpdates = "_db_updates" 27 RoleDesign = "_design" 28 ) 29 30 const typeJSON = "application/json" 31 32 // UserContext represents a [CouchDB UserContext object]. 33 // 34 // [CouchDB UserContext object]: https://docs.couchdb.org/en/stable/json-structure.html#user-context-object 35 type UserContext struct { 36 Database string `json:"db,omitempty"` 37 Name string `json:"name"` 38 Roles []string `json:"roles"` 39 // Salt is needed to calculate cookie tokens. 40 Salt string `json:"-"` 41 } 42 43 // HasRole returns true if the user has the specified role. 44 func (c *UserContext) HasRole(role string) bool { 45 for _, r := range c.Roles { 46 if r == role { 47 return true 48 } 49 } 50 return false 51 } 52 53 // Server is the interface for the server which exposes capabilities needed 54 // by auth handlers. 55 type Server interface { 56 UserStore() UserStore 57 Bind(*http.Request, interface{}) error 58 } 59 60 // AuthenticateFunc authenticates the HTTP request. On success, a user context 61 // must be returned. Any error will immediately terminate the authentication 62 // process, returning an error to the client. In particular, this means that 63 // an "unauthorized" error must not be returned if fallthrough is intended. 64 // If a response is sent, execution does not continue. This allows handlers 65 // to expose their own API endpoints (for example, the default cookie auth 66 // handler adds POST /_session and DELETE /_session handlers). 67 type AuthenticateFunc func(http.ResponseWriter, *http.Request) (*UserContext, error) 68 69 // Handler is an auth handler. 70 type Handler interface { 71 // Init should return the name of the authentication method, and an 72 // authentication function. It is only called once on server startup. 73 Init(Server) (string, AuthenticateFunc) 74 } 75