Test: signRequired middleware

pkg/auth/auth.go

@@ -22,17 +22,18 @@ type Auth interface {
 	Check(body string, sign string) error
 }
 
-// SignURI 对URI进行签名
+// SignURI 对URI进行签名,签名只针对Path部分，query部分不做验证
 // TODO 测试
 func SignURI(uri string, expires int64) (*url.URL, error) {
-	// 生成签名
-	sign := General.Sign(uri, expires)
-
-	// 将签名加到URI中
 	base, err := url.Parse(uri)
 	if err != nil {
 		return nil, err
 	}
+
+	// 生成签名
+	sign := General.Sign(base.Path, expires)
+
+	// 将签名加到URI中
 	queries := base.Query()
 	queries.Set("sign", sign)
 	base.RawQuery = queries.Encode()
@@ -47,9 +48,8 @@ func CheckURI(url *url.URL) error {
 	sign := queries.Get("sign")
 	queries.Del("sign")
 	url.RawQuery = queries.Encode()
-	requestURI := url.RequestURI()
 
-	return General.Check(requestURI, sign)
+	return General.Check(url.Path, sign)
 }
 
 // Init 初始化通用鉴权器

pkg/auth/auth_test.go

@@ -0,0 +1,48 @@
+package auth
+
+import (
+	"github.com/HFO4/cloudreve/pkg/util"
+	"github.com/stretchr/testify/assert"
+	"testing"
+	"time"
+)
+
+func TestSignURI(t *testing.T) {
+	asserts := assert.New(t)
+	General = HMACAuth{SecretKey: []byte(util.RandStringRunes(256))}
+
+	// 成功
+	{
+		sign, err := SignURI("/api/v3/something?id=1", 0)
+		asserts.NoError(err)
+		queries := sign.Query()
+		asserts.Equal("1", queries.Get("id"))
+		asserts.NotEmpty(queries.Get("sign"))
+	}
+
+	// URI解码失败
+	{
+		sign, err := SignURI("://dg.;'f]gh./'", 0)
+		asserts.Error(err)
+		asserts.Nil(sign)
+	}
+}
+
+func TestCheckURI(t *testing.T) {
+	asserts := assert.New(t)
+	General = HMACAuth{SecretKey: []byte(util.RandStringRunes(256))}
+
+	// 成功
+	{
+		sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()+10)
+		asserts.NoError(err)
+		asserts.NoError(CheckURI(sign))
+	}
+
+	// 过期
+	{
+		sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()-1)
+		asserts.NoError(err)
+		asserts.Error(CheckURI(sign))
+	}
+}