Building a module for access controlled URLs

I’m not sure what the right terminology is for this, so forgive me. I’d like to write a module that:

  • given an incoming url like /file/foo.jpg/XXXXXXXXXX (where XXXXXXXXXX is a signed token)
  • check XXXXXXXXXX from my module to see if it gives access to /file/foo.jpg
  • if XXXXXXXXXX is valid, pass on the modified path (/file/foo.jpg) to the built in HTTP server, otherwise return an error

Is there an example that is close to this, or a suggested place/terminolgy in the docs where I should look?

Thanks!

(Unfortunately the signed token logic can’t be replaced, but that code is already in Go, so it wouldn’t take much to get it going, either. :-))

I think you could do this with a custom request matcher.

The idea is that you would use something like a path matcher (to avoid running your matcher all the time because I figure it could be costly to run a lot) + your custom matcher, where your custom matcher would verify that the token is valid and return true if it is, false otherwise.

If the matcher passes, then you can use the rewrite handler to allow access.

Maybe something like this (assuming a hex digits for the token):

@validSignature {
	path_regexp signed_url ^(/file/.*)/([0-9a-f]+)$
	valid_signature <verification_key>
}
rewrite @validSignature {re.signed_url.1}

So basically, uses a regexp to match the path and extracts capture groups, where the first capture group is the /file/foo.jpg path. If that regexp matches, and your custom signature check passes, then you can rewrite using the first capture group as the new path.

Take a look at matchers.go which is where the majority of the request matchers are implemented in Caddy: