Add basic auth to simple provider

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2024-10-18 07:34:22 +00:00 · 2018-01-28 19:32:39 +01:00 · 2018-01-28 19:32:39 +01:00 · 068ede3748
commit 068ede3748
parent daa85d5016
2 changed files with 34 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -88,6 +88,8 @@ The simple auth provider consists of a static mapping between users and password
 ```yaml
 providers:
  simple:
+    enable_basic_auth: false
+
    # Unique username mapped to bcrypt hashed password
    users:
      luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
@ -101,6 +103,8 @@ providers:

 You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported.

+If `enable_basic_auth` is set to `true` the credentials can also be submitted through basic auth. This is useful for services whose clients does not support other types of authentication.
+
 ### Provider configuration: Token Auth (`token`)

 The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form.
--- a/auth_simple.go
+++ b/auth_simple.go
@ -14,6 +14,7 @@ func init() {
 }

 type authSimple struct {
+	EnableBasicAuth bool                `yaml:"enable_basic_auth"`
 	Users           map[string]string   `yaml:"users"`
 	Groups          map[string][]string `yaml:"groups"`
 }
@ -41,6 +42,7 @@ func (a *authSimple) Configure(yamlSource []byte) error {
 		return errAuthenticatorUnconfigured
 	}

+	a.EnableBasicAuth = envelope.Providers.Simple.EnableBasicAuth
 	a.Users = envelope.Providers.Simple.Users
 	a.Groups = envelope.Providers.Simple.Groups

@ -52,15 +54,35 @@ func (a *authSimple) Configure(yamlSource []byte) error {
 // If no user was detected the errNoValidUserFound needs to be
 // returned
 func (a authSimple) DetectUser(r *http.Request) (string, []string, error) {
+	var user string
+
+	if a.EnableBasicAuth {
+		if basicUser, basicPass, ok := r.BasicAuth(); ok {
+			for u, p := range a.Users {
+				if u != basicUser {
+					continue
+				}
+				if bcrypt.CompareHashAndPassword([]byte(p), []byte(basicPass)) != nil {
+					continue
+				}
+
+				user = basicUser
+			}
+		}
+	}
+
+	if user == "" {
 		sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
 		if err != nil {
 			return "", nil, errNoValidUserFound
 		}

-	user, ok := sess.Values["user"].(string)
+		var ok bool
+		user, ok = sess.Values["user"].(string)
 		if !ok {
 			return "", nil, errNoValidUserFound
 		}
+	}

 	groups := []string{}
 	for group, users := range a.Groups {