Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Basic auth support #6

Merged
merged 7 commits into from
Nov 18, 2024
Merged

HTTP Basic auth support #6

merged 7 commits into from
Nov 18, 2024

Conversation

metachris
Copy link
Contributor

@metachris metachris commented Nov 13, 2024
edited
Loading

📝 Summary

Enables basic auth support for API requests.

The basic auth password is configurable through API and/or file. If set via API, the salted hash is stored in the file to persist across reboots.

Config-file updates:

[general]
# HTTP Basic Auth
basic_auth_secret_path = "basic-auth-secret.txt" # basic auth is supported if a path is provided
basic_auth_secret_salt = "D;%yL9TS:5PalS/d"      # use a random string for the salt

basic_auth_secret_path specifies the file to store the salted, hashed secret in. It's loaded (or created) on startup.

  • if the file is not empty, API requests need to include a http basic auth password that matches that sha256 hash (user admin)
  • if empty, no authentication is required for API requests until secret is configured through API or file. if /api/v1/set-basic-auth is called, it uses the payload as secret (immediately) and writes the hash of the secret it to the file (for reuse across restarts).
  • if file does not exist, it is created (empty)

Only the salted SHA256 hash of the password is stored, both in the file as well as in memory.

The secret can be overwritten (updated) via API call, if the request provides the previous http basic auth secret.

Also added tests and updated the README.

✅ I have run these commands

  • make lint
  • make test
  • go mod tidy

@metachris metachris force-pushed the basic-auth branch 8 times, most recently from c29ee18 to a612ad3 Compare November 13, 2024 13:23
Base automatically changed from config to main November 14, 2024 14:38
Ruteri
Ruteri approved these changes Nov 14, 2024
View reviewed changes
systemapi/server.go Outdated Show resolved Hide resolved
@metachris metachris force-pushed the basic-auth branch 10 times, most recently from b229401 to 42e0f6a Compare November 14, 2024 16:49
@metachris metachris force-pushed the basic-auth branch 2 times, most recently from af40417 to 66ac4f6 Compare November 14, 2024 16:50
MoeMahhouk
MoeMahhouk reviewed Nov 14, 2024
View reviewed changes
README.md Show resolved Hide resolved
systemapi/server.go Show resolved Hide resolved
systemapi/server.go Outdated Show resolved Hide resolved
@MoeMahhouk
Copy link

an unrelated question but how is the system-api protected against DOS attacks here?
Can someone technically abuse the exposed API to send large amount of requests to make the instance slow and disrupt the execution of the other services on it?

@metachris
Copy link
Contributor Author

an unrelated question but how is the system-api protected against DOS attacks here?

Good questions. Keep in mind, this API is not public! It's only available to the operator, who configures access on his cloud firewall and doesn't expose it publicly.

@metachris metachris merged commit 347544f into main Nov 18, 2024
2 checks passed
@metachris metachris deleted the basic-auth branch November 18, 2024 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ruteri Ruteri Ruteri approved these changes

@MoeMahhouk MoeMahhouk MoeMahhouk approved these changes

@0x416e746f6e 0x416e746f6e Awaiting requested review from 0x416e746f6e

@bakhtin bakhtin Awaiting requested review from bakhtin

@dvush dvush Awaiting requested review from dvush

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@metachris @MoeMahhouk @Ruteri