Add support for bearer token authentication

gmta · gmta · commit d27b27540bf8 · 2023-01-19T10:54:05.000+01:00
This sets the `Authorization: Bearer [token]` header in upstream proxy
requests, allowing for mirrors of e.g. GitLab.
diff --git a/.env.dist b/.env.dist
@@ -11,16 +11,14 @@ VELOCITA_HTTPS_PORT=8443
 #VELOCITA_AUTH_TYPE=none
 
 ##
-# GitHub mirror configuration
+# Mirrors configuration
 ##
 
+# GitHub codeload
 MIRROR_GITHUB_CODELOAD_URL=https://codeload.github.com
 #MIRROR_GITHUB_CODELOAD_CACHE_SIZE=1g
 
-##
-# Composer repository mirrors
-##
-
+# Packagist
 MIRROR_PACKAGIST_URL=https://repo.packagist.org
 MIRROR_PACKAGIST_TYPE=composer
 #MIRROR_PACKAGIST_CACHE_EXPIRY=3650d
@@ -31,3 +29,9 @@ MIRROR_PACKAGIST_TYPE=composer
 #MIRROR_PACKAGIST_AUTH_USERNAME=
 #MIRROR_PACKAGIST_AUTH_PASSWORD=
 #MIRROR_PACKAGIST_USER_AGENT=Velocita Composer Cache
+
+# GitLab (example)
+#MIRROR_GITLAB_URL=https://gitlab.com
+#MIRROR_GITLAB_TYPE=composer
+#MIRROR_GITLAB_AUTH_TYPE=bearer
+#MIRROR_GITLAB_AUTH_PASSWORD=...
diff --git a/proxy/README.md b/proxy/README.md
@@ -59,9 +59,9 @@ For every mirror, the following configuration options are available:
 | `MIRROR_{name}_CACHE_SIZE`           | No       | Size (default: `1g`)                   | Maximum size of this mirror's cache      |
 | `MIRROR_{name}_ALLOW_REVALIDATE`     | No       | Boolean (default: `false`)             | Allow revalidation of cached items       |
 | `MIRROR_{name}_PACKAGES_JSON_EXPIRY` | No       | Time (default: `2m`)                   | Time after which `packages.json` expires |
-| `MIRROR_{name}_AUTH_TYPE`            | No       | Always `basic` (default)               | Type of upstream authentication          |
-| `MIRROR_{name}_AUTH_USERNAME`        | No       | String                                 | Username for basic authentication        |
-| `MIRROR_{name}_AUTH_PASSWORD`        | No       | String                                 | Password for basic authentication        |
+| `MIRROR_{name}_AUTH_TYPE`            | No       | One of: `basic` (default), `bearer`    | Type of upstream authentication          |
+| `MIRROR_{name}_AUTH_USERNAME`        | No       | String                                 | Username for authentication              |
+| `MIRROR_{name}_AUTH_PASSWORD`        | No       | String                                 | Password or token for authentication     |
 | `MIRROR_{name}_USER_AGENT`           | No       | String                                 | User Agent header sent to upstream       |
 
 For time and size unit syntax, see: http://nginx.org/en/docs/syntax.html
diff --git a/proxy/templates/proxy.conf.erb b/proxy/templates/proxy.conf.erb
@@ -147,6 +147,10 @@ server {
       <%- unless mirror[:auth_user].empty? || mirror[:auth_pass].empty? -%>
         proxy_set_header Authorization "Basic <%= Base64.strict_encode64("#{mirror[:auth_user]}:#{mirror[:auth_pass]}") %>";
       <%- end -%>
+    <%- when 'bearer' -%>
+      <%- unless mirror[:auth_pass].empty? -%>
+        proxy_set_header Authorization "Bearer <%= mirror[:auth_pass] %>";
+      <%- end -%>
     <%- end -%>
     <%- if mirror[:type] == 'composer' -%>
 
