feat: optional basic auth support

moul · Nov 26, 2019 · d324fc2 · d324fc2
1 parent 3baab44
commit d324fc2
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/cmd/depviz/main.go b/cmd/depviz/main.go
@@ -52,6 +52,8 @@ var (
 	serverWithPprof          = serverFlags.Bool("with-pprof", false, "enable pprof endpoints")
 	serverWithoutRecovery    = serverFlags.Bool("without-recovery", false, "disable panic recovery (dev)")
 	serverWithoutCache       = serverFlags.Bool("without-cache", false, "disable HTTP caching")
+	serverBasicAuth          = serverFlags.String("basic-auth", "", "basic auth password (user='depviz')")
+	serverRealm              = serverFlags.String("realm", "DepViz", "server Realm")
 
 	runFlags            = flag.NewFlagSet("run", flag.ExitOnError)
 	runNoPull           = runFlags.Bool("no-pull", false, "don't pull providers (graph only)")
@@ -293,6 +295,8 @@ func execServer(args []string) error {
 			WithPprof:          *serverWithPprof,
 			WithoutRecovery:    *serverWithoutRecovery,
 			WithoutCache:       *serverWithoutCache,
+			BasicAuth:          *serverBasicAuth,
+			Realm:              *serverRealm,
 			Godmode:            *serverGodmode,
 		}
 		svc, err = dvserver.New(ctx, store, schemaConfig, opts)

diff --git a/internal/dvserver/auth.go b/internal/dvserver/auth.go
@@ -0,0 +1,31 @@
+package dvserver
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func basicAuth(basicAuth string, realm string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, password, ok := r.BasicAuth()
+			if !ok {
+				unauthorized(w, realm)
+				return
+			}
+
+			if basicAuth == password {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			unauthorized(w, realm)
+		})
+	}
+}
+
+func unauthorized(w http.ResponseWriter, realm string) {
+	w.Header().Add("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s"`, realm))
+	w.WriteHeader(http.StatusUnauthorized)
+	fmt.Fprintf(w, "invalid credentials\n")
+}
diff --git a/internal/dvserver/server.go b/internal/dvserver/server.go
@@ -40,6 +40,8 @@ type Opts struct {
 	WithPprof          bool
 	Godmode            bool
 	WithoutCache       bool
+	BasicAuth          string
+	Realm              string
 }
 
 type Service interface {
@@ -76,6 +78,9 @@ func New(ctx context.Context, h *cayley.Handle, schema *schema.Config, opts Opts
 	if opts.CORSAllowedOrigins == "" {
 		opts.CORSAllowedOrigins = "*"
 	}
+	if opts.Realm == "" {
+		opts.Realm = "DepViz"
+	}
 
 	svc := service{
 		ctx:    ctx,
@@ -133,6 +138,9 @@ func New(ctx context.Context, h *cayley.Handle, schema *schema.Config, opts Opts
 
 	if opts.HTTPBind != "" {
 		r := chi.NewRouter()
+		if opts.BasicAuth != "" {
+			r.Use(basicAuth(opts.BasicAuth, opts.Realm))
+		}
 		cors := cors.New(cors.Options{
 			AllowedOrigins:   strings.Split(opts.CORSAllowedOrigins, ","),
 			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},