basic auth

Author: alshdavid

Cargo.lock

@@ -36,6 +36,7 @@ tokio-util = { version = "0.7.15", features = [
 ] }
 brotli = "8.0.0"
 urlencoding = "2.1.3"
+base64 = "0.22.1"
 
 [target.'cfg(unix)'.dependencies]
 unix_mode = "0.1.4"

Cargo.toml

@@ -97,8 +97,6 @@ fmt:
 fmt_fix *ARGS:
   cargo +nightly fmt
 
-
-
 watch *ARGS:
   cargo watch --watch src -- just run {{ARGS}}
 

justfile

@@ -0,0 +1 @@
+

src/auth/mod.rs

@@ -0,0 +1,15 @@
+#![allow(unused)]
+
+use base64::prelude::*;
+
+pub fn encode<S: AsRef<str>>(input: S) -> String {
+  BASE64_STANDARD.encode(input.as_ref().as_bytes())
+}
+
+pub fn decode_bytes<S: AsRef<str>>(input: S) -> anyhow::Result<Vec<u8>> {
+  Ok(BASE64_STANDARD.decode(input.as_ref().as_bytes())?)
+}
+
+pub fn decode_string<S: AsRef<str>>(input: S) -> anyhow::Result<String> {
+  Ok(String::from_utf8(decode_bytes(input)?)?)
+}

src/b64/mod.rs

@@ -30,6 +30,10 @@ pub struct CliCommand {
   #[arg(short = 'H', long = "header")]
   pub headers: Vec<String>,
 
+  /// Put server behind basic auth (Format "username:password")
+  #[arg(long = "auth")]
+  pub basic_auth: Vec<String>,
+
   /// Enable CORS header
   #[arg(long = "cors")]
   pub cors: bool,

src/cli.rs

@@ -22,6 +22,7 @@ pub struct Config {
   pub domain: String,
   pub domain_pretty: String,
   pub headers: HashMap<String, Vec<String>>,
+  pub basic_auth: HashMap<String, String>,
   pub quiet: bool,
   pub watch: bool,
   pub watch_dir: PathBuf,
@@ -79,6 +80,17 @@ impl Config {
       );
     }
 
+    let mut basic_auth = HashMap::<String, String>::new();
+
+    for val in command.basic_auth {
+      let Some((key, value)) = val.split_once(":") else {
+        return Err(anyhow::anyhow!("Unable to parse auth"));
+      };
+      let key = key.to_string();
+      let value = value.to_string();
+      basic_auth.insert(key, value);
+    }
+
     if command.cors {
       headers.insert(
         "Access-Control-Allow-Origin".to_string(),
@@ -122,6 +134,7 @@ impl Config {
       compress: command.compress,
       sab: command.sab,
       address: command.address,
+      basic_auth,
       port: command.port,
       headers,
       quiet: command.quiet,

src/config.rs

@@ -1,6 +1,8 @@
 #![deny(unused_crate_dependencies)]
 #![allow(clippy::module_inception)]
 
+mod auth;
+mod b64;
 mod cli;
 mod compress;
 mod config;
@@ -118,6 +120,39 @@ async fn main_async() -> anyhow::Result<()> {
       let watcher = watcher.clone();
 
       async move {
+        // Basic Auth
+        if !config.basic_auth.is_empty() {
+          let Some(header) = req.headers().get("authorization") else {
+            return Ok(
+              res
+                .header(
+                  "WWW-Authenticate",
+                  "Basic realm=\"http-server-rs\"".to_string(),
+                )
+                .status(401)
+                .body_from("")?,
+            );
+          };
+
+          let Some((_, token)) = header.to_str()?.split_once(" ") else {
+            return Ok(res.status(500).body_from("Invalid basic auth header")?);
+          };
+
+          let decoded = b64::decode_string(token)?;
+
+          let Some((username, password)) = decoded.split_once(":") else {
+            return Ok(res.status(500).body_from("Invalid basic auth header")?);
+          };
+
+          let Some(creds) = config.basic_auth.get(username) else {
+            return Ok(res.status(403).body_from("")?);
+          };
+
+          if creds != password {
+            return Ok(res.status(403).body_from("")?);
+          }
+        }
+
         // Remove the leading slash
         let req_path = req.uri().path().to_string().replacen("/", "", 1);
         let req_path = urlencoding::decode(&req_path)?.to_string();