Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1747286916, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"dd1355f37c0c3e35a5fef2223083c535", "commit": {"type":"commit", "time": 1576367728, "time_ofs": 0, "oid_tree": { "oid": "f8139524132644a30a01b7ae126075a6c6c1a01e", "alias": []}, "oid":{ "oid": "10290048b006aaad1f9c4b00cf95c70a2f9fd435", "alias": []}, "msg": "basic auth: add callback option", "sig_commit": { "git_time": { "time": 1576367728, "offset": 0 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1576176300, "offset": 0 }, "name": "Dane", "email": "frokrad@hotmail.com", "md5": "f15540d20626f2ec6cdedddc71fe9525" }}, "body": "basic auth: add callback option\n\nAllow an http mount to specify it wants to check Basic Auth\nrequests via a protocol callback instead of a text file." , "diff": "diff --git a/include/libwebsockets/lws-callbacks.h b/include/libwebsockets/lws-callbacks.h\nindex a31ab74..5a61e4c 100644\n--- a/include/libwebsockets/lws-callbacks.h\n+++ b/include/libwebsockets/lws-callbacks.h\n@@ -280,6 +280,15 @@ enum lws_callback_reasons {\n \t * break;\n \t */\n \n+\tLWS_CALLBACK_VERIFY_BASIC_AUTHORIZATION \u003d 102,\n+\t/**\u003c This gives the user code a chance to accept or reject credentials\n+\t * provided HTTP to basic authorization. It will only be called if the\n+\t * http mount's authentication_mode is set to LWSAUTHM_BASIC_AUTH_CALLBACK\n+\t * `in` points to a credential string of the form `username:password` If\n+\t * the callback returns zero (the default if unhandled), then the\n+\t * transaction ends with HTTP_STATUS_UNAUTHORIZED, otherwise the request\n+\t * will be processed */\n+\n \tLWS_CALLBACK_CHECK_ACCESS_RIGHTS\t\t\t\u003d 51,\n \t/**\u003c This gives the user code a chance to forbid an http access.\n \t * `in` points to a `struct lws_process_html_args`, which\ndiff --git a/include/libwebsockets/lws-context-vhost.h b/include/libwebsockets/lws-context-vhost.h\nindex 5574c77..fa93a59 100644\n--- a/include/libwebsockets/lws-context-vhost.h\n+++ b/include/libwebsockets/lws-context-vhost.h\n@@ -1040,6 +1040,18 @@ enum lws_mount_protocols {\n \tLWSMPRO_CALLBACK\t\u003d 6, /**\u003c hand by named protocol's callback */\n };\n \n+/** enum lws_authentication_mode\n+ * This specifies the authentication mode of the mount. The basic_auth_login_file mount parameter\n+ * is ignored unless LWSAUTHM_DEFAULT is set.\n+ */\n+enum lws_authentication_mode {\n+\tLWSAUTHM_DEFAULT \u003d 0, /**\u003c default authenticate only if basic_auth_login_file is provided */\n+\tLWSAUTHM_BASIC_AUTH_CALLBACK \u003d 1 \u003c\u003c 28 /**\u003c Basic auth with a custom verifier */\n+};\n+\n+/** The authentication mode is stored in the top 4 bits of lws_http_mount.auth_mask */\n+#define AUTH_MODE_MASK 0xF0000000\n+\n /** struct lws_http_mount\n *\n * arguments for mounting something in a vhost's url namespace\n@@ -1080,7 +1092,7 @@ struct lws_http_mount {\n \tunsigned char mountpoint_len; /**\u003c length of mountpoint string */\n \n \tconst char *basic_auth_login_file;\n-\t/**\u003cNULL, or filepath to use to check basic auth logins against */\n+\t/**\u003cNULL, or filepath to use to check basic auth logins against. (requires LWSAUTHM_DEFAULT) */\n \n \t/* Add new things just above here ---^\n \t * This is part of the ABI, don't needlessly break compatibility\ndiff --git a/lib/roles/http/private-lib-roles-http.h b/lib/roles/http/private-lib-roles-http.h\nindex 1b97d1b..5f3de66 100644\n--- a/lib/roles/http/private-lib-roles-http.h\n+++ b/lib/roles/http/private-lib-roles-http.h\n@@ -300,7 +300,7 @@ enum lws_check_basic_auth_results {\n };\n \n enum lws_check_basic_auth_results\n-lws_check_basic_auth(struct lws *wsi, const char *basic_auth_login_file);\n+lws_check_basic_auth(struct lws *wsi, const char *basic_auth_login_file, unsigned int auth_mode);\n \n int\n lws_unauthorised_basic_auth(struct lws *wsi);\ndiff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c\nindex 1cde7ac..303c4af 100644\n--- a/lib/roles/http/server/server.c\n+++ b/lib/roles/http/server/server.c\n@@ -946,16 +946,15 @@ lws_http_get_uri_and_method(struct lws *wsi, char **puri_ptr, int *puri_len)\n \treturn -1;\n }\n \n-\n-\n enum lws_check_basic_auth_results\n-lws_check_basic_auth(struct lws *wsi, const char *basic_auth_login_file)\n+lws_check_basic_auth(struct lws *wsi, const char *basic_auth_login_file,\n+\t\t unsigned int auth_mode)\n {\n #if defined(LWS_WITH_FILE_OPS)\n \tchar b64[160], plain[(sizeof(b64) * 3) / 4], *pcolon;\n-\tint m, ml, fi;\n+\tint m, ml, fi, bar;\n \n-\tif (!basic_auth_login_file)\n+\tif (!basic_auth_login_file \u0026\u0026 auth_mode \u003d\u003d LWSAUTHM_DEFAULT)\n \t\treturn LCBA_CONTINUE;\n \n \t/* Did he send auth? */\n@@ -998,8 +997,23 @@ lws_check_basic_auth(struct lws *wsi, const char *basic_auth_login_file)\n \t\tlwsl_err(\u0022basic auth format broken\u005cn\u0022);\n \t\treturn LCBA_END_TRANSACTION;\n \t}\n-\tif (!lws_find_string_in_file(basic_auth_login_file, plain, m)) {\n-\t\tlwsl_err(\u0022basic auth lookup failed\u005cn\u0022);\n+\n+\tswitch (auth_mode) {\n+\tcase LWSAUTHM_DEFAULT:\n+\t\tif (lws_find_string_in_file(basic_auth_login_file, plain, m))\n+\t\t\tbreak;\n+\t\tlwsl_err(\u0022%s: basic auth lookup failed\u005cn\u0022, __func__);\n+\t\treturn LCBA_FAILED_AUTH;\n+\n+\tcase LWSAUTHM_BASIC_AUTH_CALLBACK:\n+\t\tbar \u003d wsi-\u003eprotocol-\u003ecallback(wsi,\n+\t\t\t\tLWS_CALLBACK_VERIFY_BASIC_AUTHORIZATION,\n+\t\t\t\twsi-\u003euser_space, plain, m);\n+\t\tif (!bar)\n+\t\t\treturn LCBA_FAILED_AUTH;\n+\t\tbreak;\n+\tdefault:\n+\t\t/* Invalid auth mode so lets fail all authentication attempts */\n \t\treturn LCBA_FAILED_AUTH;\n \t}\n \n@@ -1468,7 +1482,8 @@ lws_http_action(struct lws *wsi)\n \n \t/* basic auth? */\n \n-\tswitch(lws_check_basic_auth(wsi, hit-\u003ebasic_auth_login_file)) {\n+\tswitch (lws_check_basic_auth(wsi, hit-\u003ebasic_auth_login_file,\n+\t\t\t\t hit-\u003eauth_mask \u0026 AUTH_MODE_MASK)) {\n \tcase LCBA_CONTINUE:\n \t\tbreak;\n \tcase LCBA_FAILED_AUTH:\n@@ -1527,7 +1542,7 @@ lws_http_action(struct lws *wsi)\n \n \t\targs.p \u003d uri_ptr;\n \t\targs.len \u003d uri_len;\n-\t\targs.max_len \u003d hit-\u003eauth_mask;\n+\t\targs.max_len \u003d hit-\u003eauth_mask \u0026 ~AUTH_MODE_MASK;\n \t\targs.final \u003d 0; /* used to signal callback dealt with it */\n \t\targs.chunked \u003d 0;\n \ndiff --git a/lib/roles/ws/server-ws.c b/lib/roles/ws/server-ws.c\nindex 2006c3f..3f1813a 100644\n--- a/lib/roles/ws/server-ws.c\n+++ b/lib/roles/ws/server-ws.c\n@@ -271,7 +271,8 @@ lws_process_ws_upgrade2(struct lws *wsi)\n \t !lws_pvo_get_str((void *)pvos-\u003eoptions, \u0022basic-auth\u0022,\n \t\t\t \u0026ws_prot_basic_auth)) {\n \t\tlwsl_info(\u0022%s: ws upgrade requires basic auth\u005cn\u0022, __func__);\n-\t\tswitch(lws_check_basic_auth(wsi, ws_prot_basic_auth)) {\n+\t\tswitch (lws_check_basic_auth(wsi, ws_prot_basic_auth, LWSAUTHM_DEFAULT\n+\t\t\t\t\t\t/* no callback based auth here */)) {\n \t\tcase LCBA_CONTINUE:\n \t\t\tbreak;\n \t\tcase LCBA_FAILED_AUTH:\n","s":{"c":1747286916,"u": 10143}} ],"g": 11271,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}