From c2e19cc6da86476dab3be9ff1e63970e8bcfa227 Mon Sep 17 00:00:00 2001
From: Joona Hoikkala <joona@kuori.org>
Date: Mon, 21 Nov 2016 12:19:05 +0200
Subject: [PATCH] Added subdomain check to auth middleware

---
 api.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/api.go b/api.go
index 0188eb9..e22dcbb 100644
--- a/api.go
+++ b/api.go
@@ -22,14 +22,21 @@ func PostHandlerMap() map[string]func(*iris.Context) {
 func (a AuthMiddleware) Serve(ctx *iris.Context) {
 	usernameStr := ctx.RequestHeader("X-Api-User")
 	password := ctx.RequestHeader("X-Api-Key")
+	postData := ACMETxt{}
 
 	username, err := GetValidUsername(usernameStr)
 	if err == nil && ValidKey(password) {
 		au, err := DB.GetByUsername(username)
 		if err == nil && CorrectPassword(password, au.Password) {
-			log.Debugf("Accepted authentication from [%s]", usernameStr)
-			ctx.Next()
-			return
+			// Password ok
+			if err := ctx.ReadJSON(&postData); err != nil {
+				// Check that the subdomain belongs to the user
+				if au.Subdomain == postData.Subdomain {
+					log.Debugf("Accepted authentication from [%s]", usernameStr)
+					ctx.Next()
+					return
+				}
+			}
 		}
 		// To protect against timed side channel (never gonna give you up)
 		CorrectPassword(password, "$2a$10$8JEFVNYYhLoBysjAxe2yBuXrkDojBQBkVpXEQgyQyjn43SvJ4vL36")