github.com/weaviate/weaviate@v1.24.6/usecases/auth/authentication/anonymous/middleware.go

github.com/weaviate/weaviate@v1.24.6/usecases/auth/authentication/anonymous/middleware.go (about)

     1  //                           _       _
     2  // __      _____  __ ___   ___  __ _| |_ ___
     3  // \ \ /\ / / _ \/ _` \ \ / / |/ _` | __/ _ \
     4  //  \ V  V /  __/ (_| |\ V /| | (_| | ||  __/
     5  //   \_/\_/ \___|\__,_| \_/ |_|\__,_|\__\___|
     6  //
     7  //  Copyright © 2016 - 2024 Weaviate B.V. All rights reserved.
     8  //
     9  //  CONTACT: hello@weaviate.io
    10  //
    11  
    12  package anonymous
    13  
    14  import (
    15  	"net/http"
    16  	"strings"
    17  
    18  	"github.com/go-openapi/runtime"
    19  	"github.com/weaviate/weaviate/usecases/config"
    20  )
    21  
    22  // Client for anonymous access
    23  type Client struct {
    24  	config config.AnonymousAccess
    25  }
    26  
    27  // New anonymous access client. Client.Middleware can be used as a regular
    28  // golang http-middleware
    29  func New(cfg config.Config) *Client {
    30  	return &Client{config: cfg.Authentication.AnonymousAccess}
    31  }
    32  
    33  // Middleware will fail unauthenticated requests if anonymous access is
    34  // disabled. This middleware should run after all previous middlewares.
    35  func (c *Client) Middleware(next http.Handler) http.Handler {
    36  	if c.config.Enabled {
    37  		// Anonymous Access is allowed, this means we don't have to validate any
    38  		// further, let's just return the original middleware stack
    39  
    40  		return next
    41  	}
    42  
    43  	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    44  		if hasBearerAuth(r) {
    45  			// if an OIDC-Header is present we can be sure that the OIDC
    46  			// Authenticator has already validated the token, so we don't have to do
    47  			// anything and can call the next handler.
    48  			next.ServeHTTP(w, r)
    49  			return
    50  		}
    51  
    52  		w.WriteHeader(401)
    53  		w.Write([]byte(
    54  			`{"code":401,"message":"anonymous access not enabled, please provide an auth scheme such as OIDC"}`,
    55  		))
    56  	})
    57  }
    58  
    59  func hasBearerAuth(r *http.Request) bool {
    60  	// The following logic to decide whether OIDC information is set is taken
    61  	// straight from go-swagger to make sure the decision matches:
    62  	// https://github.com/go-openapi/runtime/blob/109737172424d8a656fd1199e28c9f5cc89b0cca/security/authenticator.go#L208-L225
    63  	const prefix = "Bearer "
    64  	var token string
    65  	hdr := r.Header.Get("Authorization")
    66  	if strings.HasPrefix(hdr, prefix) {
    67  		token = strings.TrimPrefix(hdr, prefix)
    68  	}
    69  	if token == "" {
    70  		qs := r.URL.Query()
    71  		token = qs.Get("access_token")
    72  	}
    73  	//#nosec
    74  	ct, _, _ := runtime.ContentType(r.Header)
    75  	if token == "" && (ct == "application/x-www-form-urlencoded" || ct == "multipart/form-data") {
    76  		token = r.FormValue("access_token")
    77  	}
    78  	// End of go-swagger logic
    79  
    80  	return token != ""
    81  }