Fix basic authentication on httpNode/Admin/Static

2015-11-10 15:44:48 +00:00 · 2015-11-10 15:44:48 +00:00 · 34537180c3
parent cb01920ee6
commit 34537180c3
3 changed files with 18 additions and 17 deletions
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name"         : "node-red",
-    "version"      : "0.12.0",
+    "version"      : "0.12.1",
    "description"  : "A visual tool for wiring the Internet of Things",
    "homepage"     : "http://nodered.org",
    "license"      : "Apache-2.0",
@ -53,6 +53,7 @@
        "oauth2orize":"1.1.0",
        "i18next":"1.10.5",
        "semver": "5.0.3",
+        "basic-auth": "1.0.3",
        "node-red-node-feedparser":"0.1.*",
        "node-red-node-email":"0.1.*",
        "node-red-node-twitter":"0.1.*",
--- a/red.js
+++ b/red.js
@ -178,21 +178,25 @@ try {
    process.exit(1);
 }

+function basicAuthMiddleware(user,pass) {
+    var basicAuth = require('basic-auth');
+    return function(req,res,next) {
+        var requestUser = basicAuth(req);
+        if (!requestUser || requestUser.name !== user || crypto.createHash('md5').update(requestUser.pass,'utf8').digest('hex') !== pass) {
+            res.set('WWW-Authenticate', 'Basic realm=Authorization Required');
+            return res.sendStatus(401);
+        }
+        next();
+    }
+}
+
 if (settings.httpAdminRoot !== false && settings.httpAdminAuth) {
    RED.log.warn(log._("server.httpadminauth-deprecated"));
-    app.use(settings.httpAdminRoot,
-        express.basicAuth(function(user, pass) {
-            return user === settings.httpAdminAuth.user && crypto.createHash('md5').update(pass,'utf8').digest('hex') === settings.httpAdminAuth.pass;
-        })
-    );
+    app.use(settings.httpAdminRoot, basicAuthMiddleware(settings.httpAdminAuth.user,settings.httpAdminAuth.pass));
 }

 if (settings.httpNodeRoot !== false && settings.httpNodeAuth) {
-    app.use(settings.httpNodeRoot,
-        express.basicAuth(function(user, pass) {
-            return user === settings.httpNodeAuth.user && crypto.createHash('md5').update(pass,'utf8').digest('hex') === settings.httpNodeAuth.pass;
-        })
-    );
+    app.use(settings.httpNodeRoot,basicAuthMiddleware(settings.httpNodeAuth.user,settings.httpNodeAuth.pass));
 }
 if (settings.httpAdminRoot !== false) {
    app.use(settings.httpAdminRoot,RED.httpAdmin);
@ -204,11 +208,7 @@ if (settings.httpNodeRoot !== false) {
 if (settings.httpStatic) {
    settings.httpStaticAuth = settings.httpStaticAuth || settings.httpAuth;
    if (settings.httpStaticAuth) {
-        app.use("/",
-            express.basicAuth(function(user, pass) {
-                return user === settings.httpStaticAuth.user && crypto.createHash('md5').update(pass,'utf8').digest('hex') === settings.httpStaticAuth.pass;
-            })
-        );
+        app.use("/",basicAuthMiddleware(settings.httpStaticAuth.user,settings.httpStaticAuth.pass));
    }
    app.use("/",express.static(settings.httpStatic));
 }
--- a/settings.js
+++ b/settings.js
@ -71,7 +71,7 @@ module.exports = {
    // By default, these are served relative to '/'. The following property
    // can be used to specifiy a different root path. If set to false, this is
    // disabled.
-    //httpNodeRoot: '/nodes',
+    //httpNodeRoot: '/red-nodes',

    // To password protect the node-defined HTTP endpoints, the following property
    // can be used.