Merge pull request #589 from fourplusone/fix_admin_undefined_auth

Admin page security

settings.json.template

@@ -50,8 +50,8 @@
   /* This setting is used if you need http basic auth */
   // "httpAuth" : "user:pass",
 
-  /* This setting is used for http basic auth for admin pages */
+  /* This setting is used for http basic auth for admin pages. If not set, the admin page won't be accessible from web*/
-  "adminHttpAuth" : "user:pass",
+  // "adminHttpAuth" : "user:pass",
 
   /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */
   "loglevel": "INFO",

src/node/hooks/express/webaccess.js

@@ -6,22 +6,30 @@ var settings = require('../../utils/Settings');
 
 //checks for basic http auth
 exports.basicAuth = function (req, res, next) {
-  var pass = settings.httpAuth;
+  
+  // When handling HTTP-Auth, an undefined password will lead to no authorization at all
+  var pass = settings.httpAuth || '';
+  
   if (req.path.indexOf('/admin') == 0) {
     var pass = settings.adminHttpAuth;
+    
   }
-  // Just pass if not activated in Activate http basic auth if it has been defined in settings.json
+  
-  if (!pass) {
+  // Just pass if password is an empty string
+  if (pass === '') {
     return next();
   }
   
-  if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
+  
-    // fetch login and password
+  // If a password has been set and auth headers are present...
-    if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() == pass) {
+  if (pass && req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
+    // ...check login and password
+    if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() === pass) {
       return next();
     }
   }
 
+  // Otherwise return Auth required Headers, delayed for 1 second, if auth failed.
   res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
   if (req.headers.authorization) {
     setTimeout(function () {