Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support HTTP BasicAuth for authentication with auth-user argument, password or hashedPassword #7173

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support HTTP BasicAuth for authentication with auth-user argument, password or hashedPassword #7173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d911eac
Support HTTP BasicAuth for authentication if $AUTH_USER is set
gaberudy Dec 22, 2024
6448408
Support hashed password for basic auth and match style
gaberudy Jan 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/node/cli.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ export enum Feature {

export enum AuthType {
Password = "password",
HttpBasic = "http-basic",
None = "none",
}

Expand Down Expand Up @@ -65,6 +66,7 @@ export interface UserProvidedCodeArgs {
export interface UserProvidedArgs extends UserProvidedCodeArgs {
config?: string
auth?: AuthType
"auth-user"?: string
password?: string
"hashed-password"?: string
cert?: OptionalString
Expand Down Expand Up @@ -137,6 +139,10 @@ export type Options<T> = {

export const options: Options<Required<UserProvidedArgs>> = {
auth: { type: AuthType, description: "The type of authentication to use." },
"auth-user": {
type: "string",
description: "The username for http-basic authentication.",
},
password: {
type: "string",
description: "The password for password authentication (can only be passed in via $PASSWORD or the config file).",
Expand Down Expand Up @@ -480,6 +486,7 @@ export interface DefaultedArgs extends ConfigArgs {
"proxy-domain": string[]
verbose: boolean
usingEnvPassword: boolean
usingEnvAuthUser: boolean
usingEnvHashedPassword: boolean
"extensions-dir": string
"user-data-dir": string
Expand Down Expand Up @@ -570,6 +577,14 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
args.password = process.env.PASSWORD
}

const usingEnvAuthUser = !!process.env.AUTH_USER
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this variable isn't going to be used for another 50+ lines, I think it'd be better to inline it inside the return type

if (process.env.AUTH_USER) {
args["auth"] = AuthType.HttpBasic
args["auth-user"] = process.env.AUTH_USER
} else if (args["auth-user"]) {
args["auth"] = AuthType.HttpBasic
}

if (process.env.CS_DISABLE_FILE_DOWNLOADS?.match(/^(1|true)$/)) {
args["disable-file-downloads"] = true
}
Expand Down Expand Up @@ -621,6 +636,7 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
return {
...args,
usingEnvPassword,
usingEnvAuthUser,
usingEnvHashedPassword,
} as DefaultedArgs // TODO: Technically no guarantee this is fulfilled.
}
Expand Down
39 changes: 39 additions & 0 deletions src/node/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import * as expressCore from "express-serve-static-core"
import * as http from "http"
import * as net from "net"
import * as qs from "qs"
import safeCompare from "safe-compare"
import { Disposable } from "../common/emitter"
import { CookieKeys, HttpCode, HttpError } from "../common/http"
import { normalize } from "../common/util"
Expand All @@ -20,6 +21,7 @@ import {
escapeHtml,
escapeJSON,
splitOnFirstEquals,
isHashMatch,
} from "./util"

/**
Expand Down Expand Up @@ -111,6 +113,35 @@ export const ensureAuthenticated = async (
}
}

/**
* Validate basic auth credentials.
*/
const validateBasicAuth = async (
authHeader: string | undefined,
authUser: string | undefined,
authPassword: string | undefined,
hashedPassword: string | undefined,
): Promise<boolean> => {
if (!authHeader?.startsWith("Basic ")) {
return false
}

try {
const base64Credentials = authHeader.split(" ")[1]
const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8")
const [username, password] = credentials.split(":")
if (username !== authUser) return false
if (hashedPassword) {
return await isHashMatch(password, hashedPassword)
} else {
return safeCompare(password, authPassword || "")
}
} catch (error) {
logger.error("Error validating basic auth:" + error)
return false
}
Comment on lines +129 to +142
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could the logic for base64Credentials be updated to check that the split array has an element at index 1, and isn't potentially undefined? Once that's done, could the declaration be moved out of the block since that part of the code wouldn't be able to throw an error?

}

/**
* Return true if authenticated via cookies.
*/
Expand All @@ -132,6 +163,14 @@ export const authenticated = async (req: express.Request): Promise<boolean> => {

return await isCookieValid(isCookieValidArgs)
}
case AuthType.HttpBasic: {
return await validateBasicAuth(
req.headers.authorization,
req.args["auth-user"],
req.args.password,
req.args["hashed-password"],
)
}
default: {
throw new Error(`Unsupported auth type ${req.args.auth}`)
}
Expand Down
9 changes: 8 additions & 1 deletion src/node/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ export const runCodeServer = async (

logger.info(`Using config file ${args.config}`)
logger.info(`${protocol.toUpperCase()} server listening on ${serverAddress.toString()}`)
if (args.auth === AuthType.Password) {
if (args.auth === AuthType.Password || args.auth === AuthType.HttpBasic) {
logger.info(" - Authentication is enabled")
if (args.usingEnvPassword) {
logger.info(" - Using password from $PASSWORD")
Expand All @@ -142,6 +142,13 @@ export const runCodeServer = async (
} else {
logger.info(` - Using password from ${args.config}`)
}
if (args.auth === AuthType.HttpBasic) {
if (args.usingEnvAuthUser) {
logger.info(" - Using user from $AUTH_USER")
} else {
logger.info(` - With user ${args["auth-user"]}`)
}
}
} else {
logger.info(" - Authentication is disabled")
}
Expand Down
5 changes: 5 additions & 0 deletions src/node/routes/domainProxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { Request, Router } from "express"
import { HttpCode, HttpError } from "../../common/http"
import { AuthType } from "../cli"
import { getHost, ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
import { proxy } from "../proxy"
import { Router as WsRouter } from "../wsRouter"
Expand Down Expand Up @@ -78,6 +79,10 @@ router.all(/.*/, async (req, res, next) => {
if (/\/login\/?/.test(req.path)) {
return next()
}
// If auth is HttpBasic, return a 401.
if (req.args.auth === AuthType.HttpBasic) {
throw new HttpError("Unauthorized", HttpCode.Unauthorized)
}
// Redirect all other pages to the login.
const to = self(req)
return redirect(req, res, "login", {
Expand Down
3 changes: 2 additions & 1 deletion src/node/routes/pathProxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import * as pluginapi from "../../../typings/pluginapi"
import { HttpCode, HttpError } from "../../common/http"
import { ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
import { proxy as _proxy } from "../proxy"
import { AuthType } from "../cli"

const getProxyTarget = (
req: Request,
Expand All @@ -28,7 +29,7 @@ export async function proxy(

if (!(await authenticated(req))) {
// If visiting the root (/:port only) redirect to the login page.
if (!req.params.path || req.params.path === "/") {
if ((!req.params.path || req.params.path === "/") && req.args.auth !== AuthType.HttpBasic) {
const to = self(req)
return redirect(req, res, "login", {
to: to !== "/" ? to : undefined,
Expand Down
8 changes: 7 additions & 1 deletion src/node/routes/vscode.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ import * as http from "http"
import * as net from "net"
import * as path from "path"
import { WebsocketRequest } from "../../../typings/pluginapi"
import { HttpCode, HttpError } from "../../common/http"
import { logError } from "../../common/util"
import { CodeArgs, toCodeArgs } from "../cli"
import { AuthType, CodeArgs, toCodeArgs } from "../cli"
import { isDevMode, vsRootPath } from "../constants"
import { authenticated, ensureAuthenticated, ensureOrigin, redirect, replaceTemplates, self } from "../http"
import { SocketProxyProvider } from "../socket"
Expand Down Expand Up @@ -118,6 +119,11 @@ router.get("/", ensureVSCodeLoaded, async (req, res, next) => {
const FOLDER_OR_WORKSPACE_WAS_CLOSED = req.query.ew

if (!isAuthenticated) {
// If auth is HttpBasic, return a 401.
if (req.args.auth === AuthType.HttpBasic) {
res.setHeader("WWW-Authenticate", `Basic realm="${req.args["app-name"] || "code-server"}"`)
throw new HttpError("Unauthorized", HttpCode.Unauthorized)
}
const to = self(req)
return redirect(req, res, "login", {
to: to !== "/" ? to : undefined,
Expand Down
Loading