From 258742f6b7d1af018bfa0e3d079c8454c34ebef9 Mon Sep 17 00:00:00 2001
From: Matteo Pagliazzi <matteopagliazzi@gmail.com>
Date: Mon, 20 Mar 2017 15:02:48 +0100
Subject: [PATCH] Optional HTTP Basic Auth (#8586)

* add ability to add http basic auth to the website

* debug

* remove console.log
---
 config.json.example                 |  5 +++++
 npm-shrinkwrap.json                 |  5 +++++
 package.json                        |  1 +
 website/server/middlewares/index.js | 13 +++++++++++++
 4 files changed, 24 insertions(+)

diff --git a/config.json.example b/config.json.example
index 18264f6ff0..6897f72b78 100644
--- a/config.json.example
+++ b/config.json.example
@@ -76,6 +76,11 @@
         "APN_ENABLED": "false",
         "FCM_SERVER_API_KEY": ""
     },
+    "SITE_HTTP_AUTH": {
+        "ENABLED": "false",
+        "USERNAME": "admin",
+        "PASSWORD": "password"
+    },
     "PUSHER": {
         "ENABLED": "false",
         "APP_ID": "appId",
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
index 126f087619..b4b0be6ac4 100644
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@@ -3733,6 +3733,11 @@
         }
       }
     },
+    "express-basic-auth": {
+      "version": "1.0.1",
+      "from": "express-basic-auth@>=1.0.1 <2.0.0",
+      "resolved": "https://registry.npmjs.org/express-basic-auth/-/express-basic-auth-1.0.1.tgz"
+    },
     "express-csv": {
       "version": "0.6.0",
       "from": "express-csv@>=0.6.0 <0.7.0",
diff --git a/package.json b/package.json
index e558148026..86fe7d4dd0 100644
--- a/package.json
+++ b/package.json
@@ -41,6 +41,7 @@
     "domain-middleware": "~0.1.0",
     "estraverse": "^4.1.1",
     "express": "~4.14.0",
+    "express-basic-auth": "^1.0.1",
     "express-csv": "~0.6.0",
     "express-validator": "^2.18.0",
     "extract-text-webpack-plugin": "^2.0.0-rc.3",
diff --git a/website/server/middlewares/index.js b/website/server/middlewares/index.js
index 92b5266feb..be5b98fc52 100644
--- a/website/server/middlewares/index.js
+++ b/website/server/middlewares/index.js
@@ -26,9 +26,11 @@ import responseHandler from './response';
 import {
   attachTranslateFunction,
 } from './language';
+import basicAuth from 'express-basic-auth';
 
 const IS_PROD = nconf.get('IS_PROD');
 const DISABLE_LOGGING = nconf.get('DISABLE_REQUEST_LOGGING') === 'true';
+const ENABLE_HTTP_AUTH = nconf.get('SITE_HTTP_AUTH:ENABLED') === 'true';
 const PUBLIC_DIR = path.join(__dirname, '/../../client-old');
 
 const SESSION_SECRET = nconf.get('SESSION_SECRET');
@@ -74,6 +76,17 @@ module.exports = function attachMiddlewares (app, server) {
   app.use(passport.initialize());
   app.use(passport.session());
 
+  // The site can require basic HTTP authentication to be accessed
+  if (ENABLE_HTTP_AUTH) {
+    const httpBasicAuthUsers = {};
+    httpBasicAuthUsers[nconf.get('SITE_HTTP_AUTH:USERNAME')] = nconf.get('SITE_HTTP_AUTH:PASSWORD');
+
+    app.use(basicAuth({
+      users: httpBasicAuthUsers,
+      challenge: true,
+      realm: 'Habitica',
+    }));
+  }
   app.use('/api/v2', v2);
   app.use('/api/v1', v1);
   app.use(v3); // the main app, also setup top-level routes