Merge pull request #589 from fourplusone/fix_admin_undefined_auth

Admin page security
pull/592/head
John McLear 2012-04-03 07:51:18 -07:00
commit 8be52df515
2 changed files with 17 additions and 9 deletions

View File

@ -50,8 +50,8 @@
/* This setting is used if you need http basic auth */ /* This setting is used if you need http basic auth */
// "httpAuth" : "user:pass", // "httpAuth" : "user:pass",
/* This setting is used for http basic auth for admin pages */ /* This setting is used for http basic auth for admin pages. If not set, the admin page won't be accessible from web*/
"adminHttpAuth" : "user:pass", // "adminHttpAuth" : "user:pass",
/* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */ /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */
"loglevel": "INFO", "loglevel": "INFO",

View File

@ -6,22 +6,30 @@ var settings = require('../../utils/Settings');
//checks for basic http auth //checks for basic http auth
exports.basicAuth = function (req, res, next) { exports.basicAuth = function (req, res, next) {
var pass = settings.httpAuth;
// When handling HTTP-Auth, an undefined password will lead to no authorization at all
var pass = settings.httpAuth || '';
if (req.path.indexOf('/admin') == 0) { if (req.path.indexOf('/admin') == 0) {
var pass = settings.adminHttpAuth; var pass = settings.adminHttpAuth;
} }
// Just pass if not activated in Activate http basic auth if it has been defined in settings.json
if (!pass) { // Just pass if password is an empty string
if (pass === '') {
return next(); return next();
} }
if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
// fetch login and password // If a password has been set and auth headers are present...
if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() == pass) { if (pass && req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
// ...check login and password
if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() === pass) {
return next(); return next();
} }
} }
// Otherwise return Auth required Headers, delayed for 1 second, if auth failed.
res.header('WWW-Authenticate', 'Basic realm="Protected Area"'); res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
if (req.headers.authorization) { if (req.headers.authorization) {
setTimeout(function () { setTimeout(function () {