authentication added

Author: mrtkp9993

README.md

@@ -8,6 +8,8 @@ Basic CRUD operations (Create-Read-Update-Delete).
 
 ## Database Scheme
 
+Data table:
+
 ```sql
 create table products
 (
@@ -19,34 +21,48 @@ create table products
 
 You can generate data from http://filldb.info/.
 
+Users table:
+
+```sql
+CREATE TABLE `users` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `username` text NOT NULL,
+  `saltedpassword` text NOT NULL,
+  `salt` text NOT NULL,
+  PRIMARY KEY (`id`)
+);
+```
+
+````Password+Salt```` is encrypted with ``bcrypt``with 10 rounds and stored in ``saltedpassword``column.
+
 ## Example Requests
 
 To get all entries from table:
 ```
-curl 127.0.0.1:8000/api/products/list
+curl --user user1:pass1 127.0.0.1:8000/api/products/list
 ```
 
 To get an entry with `id` (where id equals 10):
 ```
-curl 127.0.0.1:8000/api/products/10
+curl --user user1:pass1 127.0.0.1:8000/api/products/10
 ```
 
 To create an entry:
 ```
 curl --header "Content-Type: application/json" \
      --request POST \
      --data '{"name": "ABC", "manufacturer": "ACME"}' \
-	 127.0.0.1:8000/api/products/new
+	 --user user1:pass1 127.0.0.1:8000/api/products/new
 ```
 
 To update an entry:
 ```
 curl --request PUT \ 
      --data '{"name": "ABC", "manufacturer": "ACME"}' \ 
-     127.0.0.1:8000/api/products/11
+     --user user1:pass1 127.0.0.1:8000/api/products/11
 ```
 
 To delete an entry:
 ```
-curl --request DELETE 127.0.0.1:8000/api/products/10
+curl --request DELETE --user user1:pass1 127.0.0.1:8000/api/products/10
 ```

app.go

@@ -23,15 +23,18 @@ package main
 
 import (
 	"database/sql"
+	"encoding/base64"
 	"encoding/json"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 	"github.com/spf13/viper"
+	"golang.org/x/crypto/bcrypt"
 	"log"
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 )
 
 type App struct {
@@ -40,7 +43,7 @@ type App struct {
 	DB     *sql.DB
 }
 
-// curl 127.0.0.1:8000/api/products/list
+// curl --user user1:pass1 127.0.0.1:8000/api/products/list
 func (a *App) getProducts(w http.ResponseWriter, r *http.Request) {
 	rows, err := a.DB.Query("SELECT * FROM products")
 	if err != nil {
@@ -63,7 +66,7 @@ func (a *App) getProducts(w http.ResponseWriter, r *http.Request) {
 }
 
 // curl --header "Content-Type: application/json" --request POST --data '{"name": "ABC", "manufacturer": "ACME"}' \
-// 		127.0.0.1:8000/api/products/new
+// 		--user user1:pass1 127.0.0.1:8000/api/products/new
 func (a *App) createProduct(w http.ResponseWriter, r *http.Request) {
 	var p Product
 	decoder := json.NewDecoder(r.Body)
@@ -82,7 +85,7 @@ func (a *App) createProduct(w http.ResponseWriter, r *http.Request) {
 	respondWithMessage(w, http.StatusCreated, "New row added.")
 }
 
-// curl 127.0.0.1:8000/api/products/10
+// curl --user user1:pass1 127.0.0.1:8000/api/products/10
 func (a *App) getProduct(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id, err := strconv.Atoi(vars["id"])
@@ -101,7 +104,7 @@ func (a *App) getProduct(w http.ResponseWriter, r *http.Request) {
 	respondWithJSON(w, http.StatusOK, p)
 }
 
-// curl --request PUT --data '{"name": "ABC", "manufacturer": "ACME"}' 127.0.0.1:8000/api/products/11
+// curl --request PUT --data '{"name": "ABC", "manufacturer": "ACME"}' --user user1:pass1 127.0.0.1:8000/api/products/11
 func (a *App) updateProduct(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id, err := strconv.Atoi(vars["id"])
@@ -128,7 +131,7 @@ func (a *App) updateProduct(w http.ResponseWriter, r *http.Request) {
 	respondWithJSON(w, http.StatusOK, p)
 }
 
-// curl --request DELETE 127.0.0.1:8000/api/products/10
+// curl --request DELETE --user user1:pass1 127.0.0.1:8000/api/products/10
 func (a *App) deleteProduct(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id, err := strconv.Atoi(vars["id"])
@@ -146,12 +149,48 @@ func (a *App) deleteProduct(w http.ResponseWriter, r *http.Request) {
 	respondWithMessage(w, http.StatusOK, "Deleted.")
 }
 
+func (a *App) authHandler(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		s := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
+		if len(s) != 2 {
+			respondWithError(w, http.StatusUnauthorized, "Invalid/Missing Credentials.")
+			return
+		}
+
+		b, err := base64.StdEncoding.DecodeString(s[1])
+		if err != nil {
+			respondWithError(w, http.StatusUnauthorized, "Invalid/Missing Credentials.")
+			return
+		}
+
+		pair := strings.SplitN(string(b), ":", 2)
+		if len(pair) != 2 {
+			respondWithError(w, http.StatusUnauthorized, "Invalid/Missing Credentials.")
+			return
+		}
+
+		user := User{Username: pair[0]}
+		row := a.DB.QueryRow("SELECT id, saltedpassword, salt FROM users WHERE username=?", user.Username)
+		if err := row.Scan(&user.Id, &user.Saltedpassword, &user.Salt); err != nil {
+			respondWithError(w, http.StatusUnauthorized, "Invalid/Missing Credentials.")
+			return
+		}
+
+		if err := bcrypt.CompareHashAndPassword([]byte(user.Saltedpassword), []byte(pair[1]+user.Salt)); err != nil {
+			respondWithError(w, http.StatusUnauthorized, "Invalid/Missing Credentials.")
+			return
+		}
+
+		f(w, r)
+	}
+}
+
 func (a *App) InitializeRoutes() {
-	a.Router.HandleFunc("/api/products/list", a.getProducts).Methods("GET")
-	a.Router.HandleFunc("/api/products/new", a.createProduct).Methods("POST")
-	a.Router.HandleFunc("/api/products/{id:[0-9]+}", a.getProduct).Methods("GET")
-	a.Router.HandleFunc("/api/products/{id:[0-9]+}", a.updateProduct).Methods("PUT")
-	a.Router.HandleFunc("/api/products/{id:[0-9]+}", a.deleteProduct).Methods("DELETE")
+	a.Router.HandleFunc("/api/products/list", a.authHandler(a.getProducts)).Methods("GET")
+	a.Router.HandleFunc("/api/products/new", a.authHandler(a.createProduct)).Methods("POST")
+	a.Router.HandleFunc("/api/products/{id:[0-9]+}", a.authHandler(a.getProduct)).Methods("GET")
+	a.Router.HandleFunc("/api/products/{id:[0-9]+}", a.authHandler(a.updateProduct)).Methods("PUT")
+	a.Router.HandleFunc("/api/products/{id:[0-9]+}", a.authHandler(a.deleteProduct)).Methods("DELETE")
 }
 
 func (a *App) Initialize(username, password, server, port, dbName string) {

go.mod

@@ -9,5 +9,6 @@ require (
 	github.com/gorilla/mux v1.7.0
 	github.com/magiconair/properties v1.8.0
 	github.com/spf13/viper v1.3.2
+	golang.org/x/crypto v0.0.0-20190417174047-f416ebab96af
 	google.golang.org/appengine v1.5.0 // indirect
 )

go.sum

@@ -40,9 +40,13 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190417174047-f416ebab96af h1:6qGQw30u837TXZbCmLFR9AVA+RjJU1LIbvk0oIkDZGY=
+golang.org/x/crypto v0.0.0-20190417174047-f416ebab96af/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a h1:1n5lsVfiQW3yfsRGu98756EH1YthsFqr/5mxHduZW2A=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=

main_test.go

@@ -87,6 +87,7 @@ func clearTestTable() {
 
 func TestGetProduct(t *testing.T) {
 	request, _ := http.NewRequest("GET", "/api/products/2", nil)
+	request.SetBasicAuth("user1", "pass1")
 	response := httptest.NewRecorder()
 	a.Router.ServeHTTP(response, request)
 	assert.Equal(t, response.Code, http.StatusOK)
@@ -96,6 +97,7 @@ func TestCreateProduct(t *testing.T) {
 	newProduct := main.Product{Id: 1, Name: "Earthquake Pills", Manufacturer: "ACME"}
 	payload, _ := json.Marshal(newProduct)
 	request, _ := http.NewRequest("POST", "/api/products/new", bytes.NewReader(payload))
+	request.SetBasicAuth("user1", "pass1")
 	response := httptest.NewRecorder()
 	a.Router.ServeHTTP(response, request)
 	assert.Equal(t, response.Code, http.StatusCreated)
@@ -105,6 +107,7 @@ func TestUpdateProduct(t *testing.T) {
 	updatedProduct := main.Product{Id: 1, Name: "Do-It-Yourself Tornado Kit", Manufacturer: "ACME"}
 	payload, _ := json.Marshal(updatedProduct)
 	request, _ := http.NewRequest("PUT", "/api/products/1", bytes.NewReader(payload))
+	request.SetBasicAuth("user1", "pass1")
 	response := httptest.NewRecorder()
 	a.Router.ServeHTTP(response, request)
 	assert.Equal(t, response.Code, http.StatusOK)
@@ -117,6 +120,7 @@ func TestUpdateProduct(t *testing.T) {
 
 func TestDeleteProduct(t *testing.T) {
 	request, _ := http.NewRequest("DELETE", "/api/products/1", nil)
+	request.SetBasicAuth("user1", "pass1")
 	response := httptest.NewRecorder()
 	a.Router.ServeHTTP(response, request)
 	assert.Equal(t, response.Code, http.StatusOK)

models.go

@@ -22,3 +22,10 @@ type Product struct {
 	Name         string `json:"name"`
 	Manufacturer string `json:"manufacturer"`
 }
+
+type User struct {
+	Id             int
+	Username       string
+	Saltedpassword string
+	Salt           string
+}