diff options
| author | Matthias Bartelmeß <mba@fourplusone.de> | 2012-04-03 14:17:19 +0200 |
|---|---|---|
| committer | Matthias Bartelmeß <mba@fourplusone.de> | 2012-04-03 14:17:19 +0200 |
| commit | 396b586dbddaa681eebdca65df0ab274f563f5ab (patch) | |
| tree | 174ed2db0e32a94148bb260bfb7e5e87c1add780 | |
| parent | c7e3656df369d09e8a8040ce90fb222a5a9204d8 (diff) | |
| download | etherpad-lite-396b586dbddaa681eebdca65df0ab274f563f5ab.zip | |
when no password is set, dont allow access to admin page
| -rw-r--r-- | settings.json.template | 4 | ||||
| -rw-r--r-- | src/node/hooks/express/webaccess.js | 22 |
2 files changed, 17 insertions, 9 deletions
diff --git a/settings.json.template b/settings.json.template index ff135993..7aaa5d7e 100644 --- a/settings.json.template +++ b/settings.json.template @@ -50,8 +50,8 @@ /* This setting is used if you need http basic auth */ // "httpAuth" : "user:pass", - /* This setting is used for http basic auth for admin pages */ - "adminHttpAuth" : "user:pass", + /* This setting is used for http basic auth for admin pages. If not set, the admin page won't be accessible from web*/ + // "adminHttpAuth" : "user:pass", /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */ "loglevel": "INFO", diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js index e77e133c..d0e28737 100644 --- a/src/node/hooks/express/webaccess.js +++ b/src/node/hooks/express/webaccess.js @@ -6,22 +6,30 @@ var settings = require('../../utils/Settings'); //checks for basic http auth exports.basicAuth = function (req, res, next) { - var pass = settings.httpAuth; + + // When handling HTTP-Auth, an undefined password will lead to no authorization at all + var pass = settings.httpAuth || ''; + if (req.path.indexOf('/admin') == 0) { var pass = settings.adminHttpAuth; + } - // Just pass if not activated in Activate http basic auth if it has been defined in settings.json - if (!pass) { + + // Just pass if password is an empty string + if (pass === '') { return next(); } - - if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) { - // fetch login and password - if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() == pass) { + + + // If a password has been set and auth headers are present... + if (pass && req.headers.authorization && req.headers.authorization.search('Basic ') === 0) { + // ...check login and password + if (new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString() === pass) { return next(); } } + // Otherwise return Auth required Headers, delayed for 1 second, if auth failed. res.header('WWW-Authenticate', 'Basic realm="Protected Area"'); if (req.headers.authorization) { setTimeout(function () { |