When i beginning read the source code of go-http-auth, I spent a long time to find out how the password :$1$dlPL2MqE$oQmn16q49SqdmhenQuNgs1 of "hello" was generated in example/basic.go . I can't find any explain in document and any demo code.
So, I implemented the function of generate md5 and sha1 formatting password from plaintext. And i believe these two functions is useful when writing the function func Secret(user, realm string) string, especially the raw password may be changed.

I've created htpasswd files using the htpasswd utility and, while go-http-auth supports the file format, the hashed passwords aren't matching up.

This isn't my area of expertise, but I suspect go-http-auth is using a different salt than htpasswd and perhaps there are some other minor differences in how the MD5 and SHA algorithms are used between htpasswd and go-http-auth. Or I am I missing something?

If htpasswd encrypted passwords aren't going to be supported by go-http-auth, how about a similar utility that will create an httpasswd file that will work with go-http-auth.

Very happy with the package, by the way.

Thanks.

Getting the following stacktrace when replacing htpasswd file during server run:

fatal error: concurrent map read and map write

goroutine 6472875 [running]:
runtime.throw(0x6d07a9, 0x21)
	/usr/lib/go-1.7/src/runtime/panic.go:566 +0x95 fp=0xc420501ad0 sp=0xc420501ab0
runtime.mapaccess2_faststr(0x67a560, 0xc4200a7980, 0xc4202e3040, 0x9, 0xc4202e3080, 0x2)
	/usr/lib/go-1.7/src/runtime/hashmap_fast.go:306 +0x52b fp=0xc420501b30 sp=0xc420501ad0
github.com/abbot/go-http-auth.HtpasswdFileProvider.func2(0xc4202e3040, 0x9, 0x6cbc3b, 0x14, 0x2, 0xc4202e3080)
	/root/vania-pooh/go/src/github.com/abbot/go-http-auth/users.go:132 +0x67 fp=0xc420501b78 sp=0xc420501b30
github.com/abbot/go-http-auth.(*BasicAuth).CheckAuth(0xc4203d3cc0, 0xc42010e1e0, 0xc4203deb70, 0xc4202a6030)
	/root/vania-pooh/go/src/github.com/abbot/go-http-auth/basic.go:83 +0x1ee fp=0xc420501c30 sp=0xc420501b78
github.com/abbot/go-http-auth.(*BasicAuth).Wrap.func1(0x7eaf00, 0xc4204e8b60, 0xc42010e1e0)
	/root/vania-pooh/go/src/github.com/abbot/go-http-auth/basic.go:142 +0x46 fp=0xc420501c88 sp=0xc420501c30
net/http.HandlerFunc.ServeHTTP(0xc4203d3d60, 0x7eaf00, 0xc4204e8b60, 0xc42010e1e0)
	/usr/lib/go-1.7/src/net/http/server.go:1726 +0x44 fp=0xc420501cb0 sp=0xc420501c88
net/http.(*ServeMux).ServeHTTP(0xc42029a0c0, 0x7eaf00, 0xc4204e8b60, 0xc42010e1e0)
	/usr/lib/go-1.7/src/net/http/server.go:2022 +0x7f fp=0xc420501cf0 sp=0xc420501cb0
net/http.serverHandler.ServeHTTP(0xc42005e880, 0x7eaf00, 0xc4204e8b60, 0xc42010e1e0)
	/usr/lib/go-1.7/src/net/http/server.go:2202 +0x7d fp=0xc420501d38 sp=0xc420501cf0
net/http.(*conn).serve(0xc4200f5880, 0x7eb440, 0xc420184c00)
	/usr/lib/go-1.7/src/net/http/server.go:1579 +0x4b7 fp=0xc420501f98 sp=0xc420501d38
runtime.goexit()
	/usr/lib/go-1.7/src/runtime/asm_amd64.s:2086 +0x1 fp=0xc420501fa0 sp=0xc420501f98
created by net/http.(*Server).Serve
	/usr/lib/go-1.7/src/net/http/server.go:2293 +0x44d

Added RWLock where necessary.

You should not use constant time comparisons (due to possible timing attacks), and is the hashing done using md5 by default? See https://github.com/goji/httpauth for how it does this.

Hi there,

I'm running into a problem because using the library essentially changes the signature of the handle func and requires AuthenticatedRequest everywhere. This makes all subsequent method calls to methods that require http.Request fail.

The situation is following:

• config.yaml is structured in the following way:

auth:
  - /path1:
      - username1: <username>
        password1: <password>
      - username2: <username>
        password2: <password>
  - /path2:
      - username: <username>
        password: <password>

Now during the app initialization, I would like to enable Basic authentication for the path if respective path record is present and disable it otherwise (i.e. let all incoming request pass). I didn't manage to do that in any way, because auth expects auth.AuthenticatedHandlerFunc while http expects http.HandlerFunc and they are not interchangeable. That means that you need 2 handler functions - one for normal http, the other for Basic auth. That is kinda cumbersome.

So I just wanted to ask if I didn't oversee something. Am I right that it cannot be done easily as the interface is design right now?

Perhaps there could be another version of auth.Wrap that would simply put an empty Username into the AuthenticatedRequest passed into the handler and would not even attempt to authenticate the request?

Let me know what you think about it, I could even write it myself and send a pull request!

I'm finding this works great on most of my sites, and has been a drop-in replacement for Apache, but I have some exceptions. On a page that embeds two iframes that hit my protected (ie hits the server to check passwords in parallel twice at nearly the same moment), even if I have the password cached already, it fails to find a password, and gets int a loop where no matter how many times I enter it, it fails.

Curious if there is a race condition behind this. I'm attempting to debug.

Hi, This library is something I want to use, but there are no examples for how to use it. Specifically, your README does not show how to implement a Secret() func.. the comment says that the password is "hello", but it returns some hash. How should I generate that hash?
Thanks, Rob

[Scene] hi all

we use the go-http-auth for request authrization, but it takes up high CPU usage, the CPU graph as follows:

[Code analysis] According to the code, we see there is 1000 times loop for computing "final", we want to know if the operation is in line with expectations.

The questions are as follows:

1. Can we delete the loop ?
2. If you want to save the mechanism, Whether to consider the parameters(1000 times loop) can be configured?

Thanks a lot !

go build -race, will add instrumentation to catch race conditions. It caught problem within DigestAuth.clients (map)

I'm attaching a copy of digest.go. I changed the mutex to be a read/write mutex, so you could have finer grain control over it. this copy doesn't cause problems with -race

Also I started to fix golint problems https://github.com/golang/lint. But stopped, because it was getting out of hand. (Sorry for dirtying up the answer) digest.txt

Thanks for your awesome work on the repo!!

digest.txt is really digest.go!

The original code only detected the prefix "$2y$", but "$2a$" and "$2b$" are also valid. See https://en.wikipedia.org/wiki/Bcrypt.

It good that we may set basic auth on per-endpoint level

http.HandleFunc("/user/", authenticator.Wrap(handleUser))
http.HandleFunc("/book/", authenticator.Wrap(handleBook))

But for most cases it would be better to have some global "interceptor" for all endpoints. And looks like the most simple way is to make a delegating Handler and use it with SericeMux. Here I created a basic sample: https://gist.github.com/stokito/24b3e6efb3e1e9357c7d964a7df2c18c

Can you add such AuthHandler into the library?

Hi,

thanks for your great work, it's very usefull for me.

I did a little change to add support for more crypters:

https://github.com/webmeisterei/go-http-auth/commit/7616ea56faee4a7f203c195f22bee42c08774ce4

Do you want a pull request for that?

Thanks and Kind regards, René

When the authenticator's cache is purged, there was a consistent slice bounds out of range [:200] with capacity 181 panic occurring. Purging the entire cache resolves this error.

This is moved over from https://github.com/abbot/go-http-auth/pull/68, which is closed.

This library is great, and seems to be a full replacement for the standard Apache http auth. However it is impossible to actually use if someone doesn't know how to set passwords. I think people are left doing what I am doing: scratching my head and reading the source code, guessing, and failing repeatedly.

Ultimately this needs a simple extension to the README that:

• enumerates the ways that a password can be set
• shows one example of using each

Ideally one example shows how to just make it read a standard .htaccess file and have it just work. Everything else is a corner case.

If I figure this out, I'll make a PR.