From 34537180c3cbb87ecef6c66e3337166707216f15 Mon Sep 17 00:00:00 2001 From: Nick O'Leary Date: Tue, 10 Nov 2015 15:44:48 +0000 Subject: [PATCH] Fix basic authentication on httpNode/Admin/Static --- package.json | 3 ++- red.js | 30 +++++++++++++++--------------- settings.js | 2 +- 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/package.json b/package.json index 7e29c4716..6fbe48d22 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name" : "node-red", - "version" : "0.12.0", + "version" : "0.12.1", "description" : "A visual tool for wiring the Internet of Things", "homepage" : "http://nodered.org", "license" : "Apache-2.0", @@ -53,6 +53,7 @@ "oauth2orize":"1.1.0", "i18next":"1.10.5", "semver": "5.0.3", + "basic-auth": "1.0.3", "node-red-node-feedparser":"0.1.*", "node-red-node-email":"0.1.*", "node-red-node-twitter":"0.1.*", diff --git a/red.js b/red.js index 79ec4e6d1..5d4e83c33 100755 --- a/red.js +++ b/red.js @@ -178,21 +178,25 @@ try { process.exit(1); } +function basicAuthMiddleware(user,pass) { + var basicAuth = require('basic-auth'); + return function(req,res,next) { + var requestUser = basicAuth(req); + if (!requestUser || requestUser.name !== user || crypto.createHash('md5').update(requestUser.pass,'utf8').digest('hex') !== pass) { + res.set('WWW-Authenticate', 'Basic realm=Authorization Required'); + return res.sendStatus(401); + } + next(); + } +} + if (settings.httpAdminRoot !== false && settings.httpAdminAuth) { RED.log.warn(log._("server.httpadminauth-deprecated")); - app.use(settings.httpAdminRoot, - express.basicAuth(function(user, pass) { - return user === settings.httpAdminAuth.user && crypto.createHash('md5').update(pass,'utf8').digest('hex') === settings.httpAdminAuth.pass; - }) - ); + app.use(settings.httpAdminRoot, basicAuthMiddleware(settings.httpAdminAuth.user,settings.httpAdminAuth.pass)); } if (settings.httpNodeRoot !== false && settings.httpNodeAuth) { - app.use(settings.httpNodeRoot, - express.basicAuth(function(user, pass) { - return user === settings.httpNodeAuth.user && crypto.createHash('md5').update(pass,'utf8').digest('hex') === settings.httpNodeAuth.pass; - }) - ); + app.use(settings.httpNodeRoot,basicAuthMiddleware(settings.httpNodeAuth.user,settings.httpNodeAuth.pass)); } if (settings.httpAdminRoot !== false) { app.use(settings.httpAdminRoot,RED.httpAdmin); @@ -204,11 +208,7 @@ if (settings.httpNodeRoot !== false) { if (settings.httpStatic) { settings.httpStaticAuth = settings.httpStaticAuth || settings.httpAuth; if (settings.httpStaticAuth) { - app.use("/", - express.basicAuth(function(user, pass) { - return user === settings.httpStaticAuth.user && crypto.createHash('md5').update(pass,'utf8').digest('hex') === settings.httpStaticAuth.pass; - }) - ); + app.use("/",basicAuthMiddleware(settings.httpStaticAuth.user,settings.httpStaticAuth.pass)); } app.use("/",express.static(settings.httpStatic)); } diff --git a/settings.js b/settings.js index 75874e539..28782c06e 100644 --- a/settings.js +++ b/settings.js @@ -71,7 +71,7 @@ module.exports = { // By default, these are served relative to '/'. The following property // can be used to specifiy a different root path. If set to false, this is // disabled. - //httpNodeRoot: '/nodes', + //httpNodeRoot: '/red-nodes', // To password protect the node-defined HTTP endpoints, the following property // can be used.