when no password is set, dont allow access to admin page

This commit is contained in:
Matthias Bartelmeß 2012-04-03 14:17:19 +02:00
parent c7e3656df3
commit 396b586dbd
2 changed files with 17 additions and 9 deletions

View File

@ -50,8 +50,8 @@
/* This setting is used if you need http basic auth */
// "httpAuth" : "user:pass",
/* This setting is used for http basic auth for admin pages */
"adminHttpAuth" : "user:pass",
/* This setting is used for http basic auth for admin pages. If not set, the admin page won't be accessible from web*/
// "adminHttpAuth" : "user:pass",
/* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */
"loglevel": "INFO",

View File

@ -6,22 +6,30 @@ var settings = require('../../utils/Settings');
//checks for basic http auth
exports.basicAuth = function (req, res, next) {
var pass = settings.httpAuth;
// When handling HTTP-Auth, an undefined password will lead to no authorization at all
var pass = settings.httpAuth || '';
if (req.path.indexOf('/admin') == 0) {
var pass = settings.adminHttpAuth;
}
// Just pass if not activated in Activate http basic auth if it has been defined in settings.json
if (!pass) {
// Just pass if password is an empty string
if (pass === '') {
return next();
}
if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
// fetch login and password
if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() == pass) {
// If a password has been set and auth headers are present...
if (pass && req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
// ...check login and password
if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() === pass) {
return next();
}
}
// Otherwise return Auth required Headers, delayed for 1 second, if auth failed.
res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
if (req.headers.authorization) {
setTimeout(function () {