Enabled HTTP Basic Auth (#16)

Author: FileGo

README.md

@@ -151,6 +151,7 @@ The following configuration options are available:
 * `--cert` path to the ssl cert file (defaults to `cert.pem`)
 * `--key` path to the ssl key file (defaults to `key.pem`)
 * `--dir` directory path to serve (defaults to `.`, also configurable by `arg[0]`)
+* `--users` path to users file (defaults to `users.dat`); file should contain lines of username:password in plain text
 
 ## Development
 

cmd/serve/main.go

@@ -20,6 +20,7 @@ func main() {
 	flag.StringVar(&opt.CertFile, "cert", "cert.pem", "path to the ssl cert file")
 	flag.StringVar(&opt.KeyFile, "key", "key.pem", "path to the ssl key file")
 	flag.StringVar(&opt.Directory, "dir", "", "directory path to serve")
+	flag.StringVar(&opt.UsersFile, "users", "users.dat", "path to users file")
 	flag.Parse()
 
 	log := log.New(os.Stderr, "[serve] ", log.LstdFlags)

internal/commands/server.go

@@ -1,9 +1,13 @@
 package commands
 
 import (
+	"bufio"
+	"io"
 	"log"
 	"net"
 	"net/http"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/syntaqx/serve"
@@ -30,16 +34,48 @@ func GetStdHTTPServer(addr string, h http.Handler) HTTPServer {
 	}
 }
 
+func GetAuthUsers(r io.Reader) map[string]string {
+	users := make(map[string]string)
+
+	if r != nil {
+		scanner := bufio.NewScanner(r)
+		for scanner.Scan() {
+			if line := strings.Split(scanner.Text(), ":"); len(line) == 2 { // use only if correct format
+				users[line[0]] = line[1]
+			}
+		}
+
+		if err := scanner.Err(); err != nil {
+			log.Fatalf("error occured during reading users file")
+		}
+	}
+
+	return users
+}
+
 // Server implements the static http server command.
 func Server(log *log.Logger, opt config.Flags, dir string) error {
 	fs := serve.NewFileServer(serve.Options{
 		Directory: dir,
 	})
 
+	// Authorization
+	var f io.Reader
+	if _, err := os.Stat(opt.UsersFile); !os.IsNotExist(err) {
+		// Config file exists, load data
+		f, err = os.Open(opt.UsersFile)
+		if err != nil {
+			log.Fatalf("unable to open users file %s", opt.UsersFile)
+		}
+	} else {
+		log.Printf("%s does not exist, no authentication required", opt.UsersFile)
+	}
+
 	fs.Use(
 		middleware.Logger(log),
 		middleware.Recover(),
 		middleware.CORS(),
+		middleware.Auth(GetAuthUsers(f)),
 	)
 
 	addr := net.JoinHostPort(opt.Host, opt.Port)

internal/commands/server_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"log"
 	"net/http"
+	"strings"
 	"testing"
 	"time"
 
@@ -74,3 +75,34 @@ func TestServerHTTPS(t *testing.T) {
 
 	getHTTPServerFunc = GetStdHTTPServer
 }
+
+func TestGetAuthUsers(t *testing.T) {
+	tests := []struct {
+		input  string
+		output map[string]string
+	}{
+		{ // Single user
+			"user1:pass1", map[string]string{
+				"user1": "pass1",
+			},
+		},
+		{ // Multiple users
+			"user1:pass1\nuser2:pass2", map[string]string{
+				"user1": "pass1",
+				"user2": "pass2",
+			},
+		},
+		{ // Empty file
+			"", map[string]string{},
+		},
+		{ // Incorrect structure
+			"user1:pass1:field1", map[string]string{},
+		},
+	}
+
+	for _, test := range tests {
+		mockFile := strings.NewReader(test.input)
+		assert.Equal(t, GetAuthUsers(mockFile), test.output)
+	}
+
+}

internal/config/flags.go

@@ -15,6 +15,7 @@ type Flags struct {
 	CertFile  string
 	KeyFile   string
 	Directory string
+	UsersFile string
 }
 
 // SanitizeDir allows a directory source to be set from multiple values. If any

internal/middleware/auth.go

@@ -0,0 +1,38 @@
+package middleware
+
+import "net/http"
+
+// Auth sets basic HTTP authorization
+func Auth(users map[string]string) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			// Only require auth if we have any users
+			if len(users) > 0 {
+				authUser, authPass, ok := r.BasicAuth()
+				if !ok {
+					// No username/password received
+					w.Header().Set("WWW-Authenticate", "Basic realm=Authenticate")
+					w.WriteHeader(http.StatusUnauthorized)
+				} else {
+					if pass, ok := users[authUser]; ok {
+						// User exists
+						if pass == authPass {
+							// Authentication successful
+							next.ServeHTTP(w, r)
+						} else {
+							http.Error(w, "Incorrect login details", http.StatusUnauthorized)
+							return
+						}
+					} else {
+						http.Error(w, "Incorrect login details", http.StatusUnauthorized)
+						return
+					}
+				}
+			} else {
+				next.ServeHTTP(w, r)
+			}
+		}
+
+		return http.HandlerFunc(fn)
+	}
+}

internal/middleware/auth_test.go

@@ -0,0 +1,55 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAuth(t *testing.T) {
+	t.Parallel()
+	assert := assert.New(t)
+
+	req, err := http.NewRequest(http.MethodGet, "/", nil)
+	assert.NoError(err)
+	res := httptest.NewRecorder()
+
+	// No users
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
+	Auth(nil)(testHandler).ServeHTTP(res, req)
+	assert.Equal("", res.Header().Get("WWW-Authenticate"))
+
+	// Some users
+	testUsers := map[string]string{
+		"user1": "pass1",
+		"user2": "pass2",
+	}
+	Auth(testUsers)(testHandler).ServeHTTP(res, req)
+	assert.Equal("Basic realm=Authenticate", res.Header().Get("WWW-Authenticate"))
+	assert.Equal(http.StatusUnauthorized, res.Result().StatusCode)
+
+	// Correct password
+	// Recreate new environment
+	testHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
+	req, err = http.NewRequest(http.MethodGet, "/", nil)
+	assert.NoError(err)
+	res = httptest.NewRecorder()
+
+	req.SetBasicAuth("user1", "pass1")
+	Auth(testUsers)(testHandler).ServeHTTP(res, req)
+	assert.Equal("", res.Header().Get("WWW-Authenticate"))
+	assert.Equal(http.StatusOK, res.Result().StatusCode)
+
+	// Incorrect password
+	// Recreate new environment
+	testHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
+	req, err = http.NewRequest(http.MethodGet, "/", nil)
+	assert.NoError(err)
+	res = httptest.NewRecorder()
+
+	req.SetBasicAuth("user1", "pass2")
+	Auth(testUsers)(testHandler).ServeHTTP(res, req)
+	assert.Equal(http.StatusUnauthorized, res.Result().StatusCode)
+}