From 4490a6618e54ac4d3f753d3a870cc4801b19bdb5 Mon Sep 17 00:00:00 2001 From: julien Date: Thu, 19 Jun 2025 10:36:38 +0200 Subject: [PATCH] secure webdav --- internal/route/main.go | 94 ++++++++++++++++++++++++++++++------------ 1 file changed, 68 insertions(+), 26 deletions(-) diff --git a/internal/route/main.go b/internal/route/main.go index 3ce72b1..2cc7f3e 100644 --- a/internal/route/main.go +++ b/internal/route/main.go @@ -19,7 +19,48 @@ import ( "golang.org/x/net/webdav" "gorm.io/gorm" ) +func setupWebdavRoute(r *mux.Router, db *gorm.DB) { + webdavHandler := &webdav.Handler{ + Prefix: "/webdav/", + FileSystem: webdav.Dir("/app/upload"), + LockSystem: webdav.NewMemLS(), + } + // Middleware HTTP Basic qui interroge la DB + authHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + user, pass, ok := req.BasicAuth() + if !ok || !checkUserCredentials(db, user, pass) { + w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + + // Lecture seule + if req.Method != "GET" && req.Method != "HEAD" && req.Method != "OPTIONS" && req.Method != "PROPFIND" { + http.Error(w, "Read-Only", http.StatusForbidden) + return + } + + w.Header().Set("DAV", "1,2") + w.Header().Set("MS-Author-Via", "DAV") + webdavHandler.ServeHTTP(w, req) + }) + + r.PathPrefix("/webdav/").Handler(authHandler) +} +func checkUserCredentials(db *gorm.DB, email string, password string) bool { + var user models.User + + // On cherche l'utilisateur par email + result := db.Where("email = ?", email).First(&user) + if result.Error != nil { + return false + } + + // On vérifie le mot de passe via bcrypt comme dans ton LoginHandler + err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) + return err == nil +} type spaHandler struct { staticPath string indexPath string @@ -80,39 +121,40 @@ func RoutesPublic(r *mux.Router, bd *gorm.DB) { http.Error(w, "Erreur lors de la génération de la playlist", http.StatusInternalServerError) } }) + setupWebdavRoute(r, bd) // WebDAV sécurisé - username := "tonuser" // ton login - password := "tonpassword" // ton password + // username := "tonuser" // ton login + // password := "tonpassword" // ton password - webdavHandler := &webdav.Handler{ - Prefix: "/webdav/", - FileSystem: webdav.Dir("/app/upload"), - LockSystem: webdav.NewMemLS(), - } + // webdavHandler := &webdav.Handler{ + // Prefix: "/webdav/", + // FileSystem: webdav.Dir("/app/upload"), + // LockSystem: webdav.NewMemLS(), + // } - r.PathPrefix("/webdav/").Handler(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - // Authentification - auth := req.Header.Get("Authorization") - if auth == "" || !checkAuth(auth, username, password) { - w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) - http.Error(w, "Unauthorized", http.StatusUnauthorized) - return - } + // r.PathPrefix("/webdav/").Handler(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + // // Authentification + // auth := req.Header.Get("Authorization") + // if auth == "" || !checkAuth(auth, username, password) { + // w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) + // http.Error(w, "Unauthorized", http.StatusUnauthorized) + // return + // } - // Protection lecture seule - if req.Method != "GET" && req.Method != "HEAD" && req.Method != "OPTIONS" && req.Method != "PROPFIND" { - http.Error(w, "Read-Only", http.StatusForbidden) - return - } - log.Printf("WebDAV request: %s %s", req.Method, req.URL.Path) + // // Protection lecture seule + // if req.Method != "GET" && req.Method != "HEAD" && req.Method != "OPTIONS" && req.Method != "PROPFIND" { + // http.Error(w, "Read-Only", http.StatusForbidden) + // return + // } + // log.Printf("WebDAV request: %s %s", req.Method, req.URL.Path) - // Headers WebDAV que VLC attend - w.Header().Set("DAV", "1,2") - w.Header().Set("MS-Author-Via", "DAV") + // // Headers WebDAV que VLC attend + // w.Header().Set("DAV", "1,2") + // w.Header().Set("MS-Author-Via", "DAV") - webdavHandler.ServeHTTP(w, req) - })) + // webdavHandler.ServeHTTP(w, req) + // })) } // Routes protégées