Added subdomain check to auth middleware

2025-07-14 17:58:07 +07:00 · 2016-11-21 12:19:05 +02:00
parent 8d21f32d1e
commit c2e19cc6da
1 changed files with 10 additions and 3 deletions
--- a/api.go
+++ b/api.go
@ -22,15 +22,22 @@ func PostHandlerMap() map[string]func(*iris.Context) {
 func (a AuthMiddleware) Serve(ctx *iris.Context) {
 	usernameStr := ctx.RequestHeader("X-Api-User")
 	password := ctx.RequestHeader("X-Api-Key")
+	postData := ACMETxt{}

 	username, err := GetValidUsername(usernameStr)
 	if err == nil && ValidKey(password) {
 		au, err := DB.GetByUsername(username)
 		if err == nil && CorrectPassword(password, au.Password) {
+			// Password ok
+			if err := ctx.ReadJSON(&postData); err != nil {
+				// Check that the subdomain belongs to the user
+				if au.Subdomain == postData.Subdomain {
 					log.Debugf("Accepted authentication from [%s]", usernameStr)
 					ctx.Next()
 					return
 				}
+			}
+		}
 		// To protect against timed side channel (never gonna give you up)
 		CorrectPassword(password, "$2a$10$8JEFVNYYhLoBysjAxe2yBuXrkDojBQBkVpXEQgyQyjn43SvJ4vL36")
 	}