Optional HTTP Basic Auth (#8586)

* add ability to add http basic auth to the website * debug * remove console.log
2026-04-14 11:36:45 +00:00 · 2017-03-20 15:02:48 +01:00 · 2017-03-20 15:02:48 +01:00 · 258742f6b7
commit 258742f6b7
parent d9d7c69432
4 changed files with 24 additions and 0 deletions
--- a/config.json.example
+++ b/config.json.example
@ -76,6 +76,11 @@
        "APN_ENABLED": "false",
        "FCM_SERVER_API_KEY": ""
    },
+    "SITE_HTTP_AUTH": {
+        "ENABLED": "false",
+        "USERNAME": "admin",
+        "PASSWORD": "password"
+    },
    "PUSHER": {
        "ENABLED": "false",
        "APP_ID": "appId",
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@ -3733,6 +3733,11 @@
        }
      }
    },
+    "express-basic-auth": {
+      "version": "1.0.1",
+      "from": "express-basic-auth@>=1.0.1 <2.0.0",
+      "resolved": "https://registry.npmjs.org/express-basic-auth/-/express-basic-auth-1.0.1.tgz"
+    },
    "express-csv": {
      "version": "0.6.0",
      "from": "express-csv@>=0.6.0 <0.7.0",
--- a/package.json
+++ b/package.json
@ -41,6 +41,7 @@
    "domain-middleware": "~0.1.0",
    "estraverse": "^4.1.1",
    "express": "~4.14.0",
+    "express-basic-auth": "^1.0.1",
    "express-csv": "~0.6.0",
    "express-validator": "^2.18.0",
    "extract-text-webpack-plugin": "^2.0.0-rc.3",
--- a/website/server/middlewares/index.js
+++ b/website/server/middlewares/index.js
@ -26,9 +26,11 @@ import responseHandler from './response';
 import {
  attachTranslateFunction,
 } from './language';
+import basicAuth from 'express-basic-auth';

 const IS_PROD = nconf.get('IS_PROD');
 const DISABLE_LOGGING = nconf.get('DISABLE_REQUEST_LOGGING') === 'true';
+const ENABLE_HTTP_AUTH = nconf.get('SITE_HTTP_AUTH:ENABLED') === 'true';
 const PUBLIC_DIR = path.join(__dirname, '/../../client-old');

 const SESSION_SECRET = nconf.get('SESSION_SECRET');
@ -74,6 +76,17 @@ module.exports = function attachMiddlewares (app, server) {
  app.use(passport.initialize());
  app.use(passport.session());

+  // The site can require basic HTTP authentication to be accessed
+  if (ENABLE_HTTP_AUTH) {
+    const httpBasicAuthUsers = {};
+    httpBasicAuthUsers[nconf.get('SITE_HTTP_AUTH:USERNAME')] = nconf.get('SITE_HTTP_AUTH:PASSWORD');
+
+    app.use(basicAuth({
+      users: httpBasicAuthUsers,
+      challenge: true,
+      realm: 'Habitica',
+    }));
+  }
  app.use('/api/v2', v2);
  app.use('/api/v1', v1);
  app.use(v3); // the main app, also setup top-level routes