orbiting · patte · May 9, 2018 · May 9, 2018 · May 9, 2018
diff --git a/.env.example b/.env.example
@@ -55,6 +55,13 @@ AUTH_MAIL_FROM_ADDRESS="kontakt@republik.ch"
 # the mandril template's name
 AUTH_MAIL_TEMPLATE_NAME=cf_signin
 
+# activate basic auth on this API
+# for assets: send basic auth to frontend (for /render and /frontend, leaks to phantomjscloud)
+#BASIC_AUTH_USER=
+#BASIC_AUTH_PASS=
+# optional:
+#BASIC_AUTH_REALM=
+
 #############
 # mail
 #############

diff --git a/packages/auth/express/auth.js b/packages/auth/express/auth.js
@@ -1,20 +1,8 @@
 const session = require('express-session')
 const PgSession = require('connect-pg-simple')(session)
 const passport = require('passport')
-const checkEnv = require('check-env')
-const querystring = require('querystring')
-const debug = require('debug')('auth')
-const { QueryEmailMismatchError, NoSessionError } = require('../lib/errors')
 const transformUser = require('../lib/transformUser')
-const { authorizeSession } = require('../lib/Sessions')
-
-checkEnv([
-  'FRONTEND_BASE_URL'
-])
-
-const {
-  FRONTEND_BASE_URL
-} = process.env
+const basicAuthMiddleware = require('./basicAuth')
 
 exports.configure = ({
   server = null, // Express Server
@@ -30,7 +18,7 @@ exports.configure = ({
   // be reset every time a user visits the site again before it expires.
   maxAge = 60000 * 60 * 24 * 7 * 2,
   // is the server running in development
-  dev = false,
+  dev = false
 } = {}) => {
   if (server === null) {
     throw new Error('server option must be an express server instance')
@@ -47,6 +35,8 @@ exports.configure = ({
   })
   const Users = pgdb.public.users
 
+  basicAuthMiddleware(server)
+
   // Configure sessions
   server.use(session({
     secret,

diff --git a/packages/auth/express/basicAuth.js b/packages/auth/express/basicAuth.js
@@ -0,0 +1,21 @@
+const basicAuth = require('express-basic-auth')
+
+const {
+  BASIC_AUTH_PASS,
+  BASIC_AUTH_USER,
+  BASIC_AUTH_REALM
+} = process.env
+
+module.exports = (server) => {
+  if (BASIC_AUTH_PASS) {
+    server.use(
+      basicAuth({
+        users: {
+          [BASIC_AUTH_USER]: BASIC_AUTH_PASS
+        },
+        challenge: true,
+        realm: BASIC_AUTH_REALM
+      })
+    )
+  }
+}
diff --git a/packages/auth/lib/signIn.js b/packages/auth/lib/signIn.js
@@ -13,6 +13,7 @@ const {
 } = require('@orbiting/backend-modules-mail')
 
 checkEnv([
+  'FRONTEND_BASE_URL',
   'AUTH_MAIL_FROM_ADDRESS'
 ])
 

diff --git a/packages/auth/package.json b/packages/auth/package.json
@@ -33,6 +33,7 @@
     "country-emoji": "^1.2.0",
     "debug": "^3.1.0",
     "export-files": "^2.1.1",
+    "express-basic-auth": "^1.1.5",
     "express-session": "^1.15.6",
     "geoip-database": "^1.0.16",
     "is-uuid": "^1.0.2",

diff --git a/servers/assets/.env.example b/servers/assets/.env.example
@@ -2,12 +2,15 @@
 PORT=5020
 
 #############
-# common
+# auth
 #############
 
-# send basic auth to frontend (for /render and /frontend, leaks to phantomjscloud and creates back door access to the front end)
+# activate basic auth on this API and
+# send basic auth to frontend (for /render and /frontend, leaks to phantomjscloud)
 #BASIC_AUTH_USER=
 #BASIC_AUTH_PASS=
+# optional:
+#BASIC_AUTH_REALM=
 
 
 #############

diff --git a/servers/assets/server.js b/servers/assets/server.js
@@ -1,6 +1,7 @@
 const express = require('express')
 const cors = require('cors')
 const { express: middlewares } = require('@orbiting/backend-modules-assets')
+const { express: { basicAuth: basicAuthMiddleware } } = require('@orbiting/backend-modules-auth')
 
 const DEV = process.env.NODE_ENV && process.env.NODE_ENV !== 'production'
 
@@ -40,6 +41,8 @@ const start = (workerId) => {
     server.use('*', cors(corsOptions))
   }
 
+  basicAuthMiddleware(server)
+
   // special middlewares
   for (let middleware of additionalMiddlewares) {
     middleware(server)

diff --git a/yarn.lock b/yarn.lock
@@ -747,6 +747,10 @@ base@^0.11.1:
     mixin-deep "^1.2.0"
     pascalcase "^0.1.1"
 
+basic-auth@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/basic-auth/-/basic-auth-1.1.0.tgz#45221ee429f7ee1e5035be3f51533f1cdfd29884"
+
 bcrypt-pbkdf@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.1.tgz#63bc5dcb61331b92bc05fd528953c33462a06f8d"
@@ -2220,6 +2224,12 @@ export-files@^2.1.1:
   dependencies:
     lazy-cache "^1.0.3"
 
+express-basic-auth@^1.1.5:
+  version "1.1.5"
+  resolved "https://registry.yarnpkg.com/express-basic-auth/-/express-basic-auth-1.1.5.tgz#3a28f6300b5f1ffd8e025193489b520a264941ea"
+  dependencies:
+    basic-auth "^1.1.0"
+
 express-session@^1.15.6:
   version "1.15.6"
   resolved "https://registry.yarnpkg.com/express-session/-/express-session-1.15.6.tgz#47b4160c88f42ab70fe8a508e31cbff76757ab0a"