From 396b586dbddaa681eebdca65df0ab274f563f5ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Bartelme=C3=9F?= Date: Tue, 3 Apr 2012 14:17:19 +0200 Subject: [PATCH] when no password is set, dont allow access to admin page --- settings.json.template | 4 ++-- src/node/hooks/express/webaccess.js | 22 +++++++++++++++------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/settings.json.template b/settings.json.template index ff135993..7aaa5d7e 100644 --- a/settings.json.template +++ b/settings.json.template @@ -50,8 +50,8 @@ /* This setting is used if you need http basic auth */ // "httpAuth" : "user:pass", - /* This setting is used for http basic auth for admin pages */ - "adminHttpAuth" : "user:pass", + /* This setting is used for http basic auth for admin pages. If not set, the admin page won't be accessible from web*/ + // "adminHttpAuth" : "user:pass", /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */ "loglevel": "INFO", diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js index e77e133c..d0e28737 100644 --- a/src/node/hooks/express/webaccess.js +++ b/src/node/hooks/express/webaccess.js @@ -6,22 +6,30 @@ var settings = require('../../utils/Settings'); //checks for basic http auth exports.basicAuth = function (req, res, next) { - var pass = settings.httpAuth; + + // When handling HTTP-Auth, an undefined password will lead to no authorization at all + var pass = settings.httpAuth || ''; + if (req.path.indexOf('/admin') == 0) { var pass = settings.adminHttpAuth; + } - // Just pass if not activated in Activate http basic auth if it has been defined in settings.json - if (!pass) { + + // Just pass if password is an empty string + if (pass === '') { return next(); } - - if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) { - // fetch login and password - if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() == pass) { + + + // If a password has been set and auth headers are present... + if (pass && req.headers.authorization && req.headers.authorization.search('Basic ') === 0) { + // ...check login and password + if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() === pass) { return next(); } } + // Otherwise return Auth required Headers, delayed for 1 second, if auth failed. res.header('WWW-Authenticate', 'Basic realm="Protected Area"'); if (req.headers.authorization) { setTimeout(function () {