auth: record basic auth user

This causes the WSI_TOKEN_HTTP_AUTHORIZATION content to be replaced by the plaintext username that succeeded to be authenticated.
2025-03-09 00:00:04 +01:00 · 2018-10-02 10:52:09 +08:00 · 2018-10-02 10:52:09 +08:00 · 2f8efa1082
commit 2f8efa1082
parent 5760a562d8
3 changed files with 38 additions and 6 deletions
--- a/READMEs/README.lwsws.md
+++ b/READMEs/README.lwsws.md
@ -436,6 +436,9 @@ The file should be readable by lwsws, and for a little bit of extra security not
 have a file suffix, so lws would reject to serve it even if it could find it on
 a mount.

+After successful authentication, `WSI_TOKEN_HTTP_AUTHORIZATION` contains the
+authenticated username.
+
@section lwswscc Requiring a Client Cert on a vhost

 You can make a vhost insist to get a client certificate from the peer before
--- a/lib/roles/http/server/server.c
+++ b/lib/roles/http/server/server.c
@ -1126,13 +1126,22 @@ lws_http_action(struct lws *wsi)
 	/* basic auth? */

 	if (hit->basic_auth_login_file) {
-		char b64[160], plain[(sizeof(b64) * 3) / 4];
-		int m;
+		char b64[160], plain[(sizeof(b64) * 3) / 4], *pcolon;
+		int m, ml, fi;

 		/* Did he send auth? */
-		if (!lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_AUTHORIZATION))
+		ml = lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_AUTHORIZATION);
+		if (!ml)
 			return lws_unauthorised_basic_auth(wsi);

+		/* Disallow fragmentation monkey business */
+
+		fi = wsi->http.ah->frag_index[WSI_TOKEN_HTTP_AUTHORIZATION];
+		if (wsi->http.ah->frags[fi].nfrag) {
+			lwsl_err("fragmented basic auth header not allowed\n");
+			return lws_unauthorised_basic_auth(wsi);
+		}
+
 		n = HTTP_STATUS_FORBIDDEN;

 		m = lws_hdr_copy(wsi, b64, sizeof(b64),
@ -1150,21 +1159,36 @@ lws_http_action(struct lws *wsi)

 		/* It'll be like Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l */

-		m = lws_b64_decode_string(b64 + 6, plain, sizeof(plain));
+		m = lws_b64_decode_string(b64 + 6, plain, sizeof(plain) - 1);
 		if (m < 0) {
 			lwsl_err("plain auth too long\n");
 			goto transaction_result_n;
 		}

+		plain[m] = '\0';
+		pcolon = strchr(plain, ':');
+		if (!pcolon) {
+			lwsl_err("basic auth format broken\n");
+			return lws_unauthorised_basic_auth(wsi);
+		}
 		if (!lws_find_string_in_file(hit->basic_auth_login_file,
 					     plain, m)) {
 			lwsl_err("basic auth lookup failed\n");
 			return lws_unauthorised_basic_auth(wsi);
 		}

-		lwsl_info("basic auth accepted\n");
+		/*
+		 * Rewrite WSI_TOKEN_HTTP_AUTHORIZATION so it is just the
+		 * authorized username
+		 */

-		/* accept the auth */
+		*pcolon = '\0';
+		wsi->http.ah->frags[fi].len = lws_ptr_diff(pcolon, plain);
+		pcolon = lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_AUTHORIZATION);
+		strncpy(pcolon, plain, ml - 1);
+		pcolon[ml - 1] = '\0';
+		lwsl_info("%s: basic auth accepted for %s\n", __func__,
+			 lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_AUTHORIZATION));
 	}

 #if defined(LWS_WITH_HTTP_PROXY)
--- a/minimal-examples/http-server/minimal-http-server-basicauth/README.md
+++ b/minimal-examples/http-server/minimal-http-server-basicauth/README.md
@ -9,6 +9,11 @@ by basic auth at /secret.
 The file at ./ba-passwords contains valid user:password
 combinations.

+## Discovering the authenticated user
+
+After a successful authentication, the `WSI_TOKEN_HTTP_AUTHORIZATION` token
+contains the authenticated username.
+
 ## build

 ```