hibiscus/auth.go

package main

import (
	"crypto/sha256"
	"crypto/subtle"
	"fmt"
	"log/slog"
	"net/http"
	"os"
	"strings"
	"time"
)

type failedLogin struct {
	Username  string
	Password  string
	Timestamp time.Time
}

var failedLogins []failedLogin

// NoteLoginFail attempts to log and counteract bruteforce attacks.
func NoteLoginFail(username string, password string, r *http.Request) {
	slog.Warn("failed auth", "username", username, "password", password, "address", r.RemoteAddr)
	NotifyTelegram(fmt.Sprintf(TranslatableText("info.telegram.auth_fail")+":\nusername=%s\npassword=%s\nremote=%s", username, password, r.RemoteAddr))

	attempt := failedLogin{username, password, time.Now()}
	updatedLogins := []failedLogin{attempt}
	for _, attempt := range failedLogins {
		if 100 > time.Now().Sub(attempt.Timestamp).Abs().Seconds() {
			updatedLogins = append(updatedLogins, attempt)
		}
	}
	failedLogins = updatedLogins

	// At least 3 failed attempts in last 100 seconds -> likely bruteforce
	if len(failedLogins) >= 3 && Cfg.Scram {
		Scram()
	}
}

// BasicAuth is a middleware that handles authentication & authorization for the app.
// It uses BasicAuth because I doubt there is a need for something sophisticated in a small hobby project.
// Originally taken from Alex Edwards's https://www.alexedwards.net/blog/basic-authentication-in-go, MIT Licensed (13.03.2024).
func BasicAuth(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		username, password, ok := r.BasicAuth()
		if ok {
			// Calculate SHA-256 hashes for equal length in ConstantTimeCompare
			usernameHash := sha256.Sum256([]byte(username))
			passwordHash := sha256.Sum256([]byte(password))
			expectedUsernameHash := sha256.Sum256([]byte(Cfg.Username))
			expectedPasswordHash := sha256.Sum256([]byte(Cfg.Password))

			usernameMatch := subtle.ConstantTimeCompare(usernameHash[:], expectedUsernameHash[:]) == 1
			passwordMatch := subtle.ConstantTimeCompare(passwordHash[:], expectedPasswordHash[:]) == 1

			if usernameMatch && passwordMatch {
				next.ServeHTTP(w, r)
				return
			} else {
				NoteLoginFail(username, password, r)
			}
		}

		// Unauthorized, inform client that we have auth and return 401
		w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
	})
}

// Scram shuts down the service, useful in case of suspected attack.
func Scram() {
	slog.Warn("SCRAM triggered, shutting down")
	NotifyTelegram(TranslatableText("info.telegram.scram"))
	os.Exit(0)
}

// NotifyTelegram attempts to send a message to admin through Telegram.
func NotifyTelegram(msg string) {
	if Cfg.TelegramChat == "" || Cfg.TelegramToken == "" {
		slog.Debug("ignoring telegram request due to lack of credentials")
		return
	}
	client := &http.Client{}
	data := "chat_id=" + Cfg.TelegramChat + "&text=" + msg
	if Cfg.TelegramTopic != "" {
		data += "&message_thread_id=" + Cfg.TelegramTopic
	}
	req, err := http.NewRequest("POST", "https://api.telegram.org/bot"+Cfg.TelegramToken+"/sendMessage", strings.NewReader(data))
	if err != nil {
		slog.Error("failed telegram request", "error", err)
		return
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	resp, err := client.Do(req)
	if err != nil {
		slog.Error("failed telegram request", "error", err)
		return
	}

	if resp.StatusCode != 200 {
		slog.Error("failed telegram request", "status", resp.Status)
	}
}