Skip to content

Support HTTP BasicAuth for authentication with auth-user argument, password or hashedPassword #7173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Support HTTP BasicAuth for authentication with auth-user argument, password or hashedPassword #7173

wants to merge 2 commits into from

Conversation

gaberudy
Copy link

Fixes #7142

Supersedes previous pull request #7143

@gaberudy gaberudy requested a review from a team as a code owner January 19, 2025 23:59
@gaberudy gaberudy mentioned this pull request Jan 20, 2025
Closed
Parkreiner
Parkreiner reviewed Feb 5, 2025
View reviewed changes
Copy link
Member

@Parkreiner Parkreiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution! Ended up leaving two small comments, but I'm worried I don't have enough architectural understanding of the project to give more finer-grained feedback

@bcpeinhardt @code-asher Pinging you just so you're aware of this PR

src/node/cli.ts
@@ -570,6 +577,14 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
args.password = process.env.PASSWORD
}

const usingEnvAuthUser = !!process.env.AUTH_USER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this variable isn't going to be used for another 50+ lines, I think it'd be better to inline it inside the return type

src/node/http.ts
Comment on lines +129 to +142
try {
const base64Credentials = authHeader.split(" ")[1]
const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8")
const [username, password] = credentials.split(":")
if (username !== authUser) return false
if (hashedPassword) {
return await isHashMatch(password, hashedPassword)
} else {
return safeCompare(password, authPassword || "")
}
} catch (error) {
logger.error("Error validating basic auth:" + error)
return false
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could the logic for base64Credentials be updated to check that the split array has an element at index 1, and isn't potentially undefined? Once that's done, could the declaration be moved out of the block since that part of the code wouldn't be able to throw an error?

@code-asher code-asher force-pushed the main branch 7 times, most recently from 13754f3 to cc3c22d Compare March 7, 2025 21:25
@code-asher
Copy link
Member

Closing for now but happy to re-review if you come back to this.

@code-asher code-asher closed this Aug 4, 2025
@tachibanayui
Copy link

I would like to continue this if @gaberudy is no longer interested. I want to intergrate external authentication without setting auth=none

@code-asher
Copy link
Member

@tachibanayui that would be awesome.

If you do tackle this, one thought I had: I wonder if instead of a separate auth-user flag that affects only basic auth, we can make it part of the password, with the same format as basic auth itself (so username:password).

@tachibanayui
Copy link

Since this is intended for single user anyway, we can hard code the username code-server and use the password in the config file

@code-asher
Copy link
Member

Good point, I like the sound of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Parkreiner Parkreiner Parkreiner left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support HTTP BasicAuth as alternative authentication
4 participants
@gaberudy @code-asher @tachibanayui @Parkreiner