Add: basic auth.

Author: bjones1

server/Cargo.toml

@@ -50,8 +50,10 @@ lexer_explain = []
 # ------------
 [dependencies]
 actix-files = "0.6"
+actix-http = "3.9.0"
 actix-rt = "2.9.0"
 actix-web = "4"
+actix-web-httpauth = "0.8.2"
 actix-ws = "0.3.0"
 bytes = { version = "1", features = ["serde"] }
 chrono = "0.4"

server/src/main.rs

@@ -36,7 +36,7 @@ use clap::{Parser, Subcommand};
 use log::LevelFilter;
 
 // ### Local
-use code_chat_editor::webserver::{self, GetServerUrlError, path_to_url};
+use code_chat_editor::webserver::{self, Credentials, GetServerUrlError, path_to_url};
 
 // Data structures
 // ---------------
@@ -78,6 +78,10 @@ enum Commands {
         /// Control logging verbosity.
         #[arg(short, long)]
         log: Option<LevelFilter>,
+
+        /// Define the username:password used to limit access to the server. By default, access is unlimited.
+        #[arg(short, long, value_parser = parse_credentials)]
+        credentials: Option<Credentials>,
     },
     /// Start the webserver in a child process then exit.
     Start {
@@ -96,15 +100,15 @@ enum Commands {
 impl Cli {
     fn run(self, addr: &SocketAddr) -> Result<(), Box<dyn std::error::Error>> {
         match &self.command {
-            Commands::Serve { log } => {
+            Commands::Serve { log, credentials } => {
                 #[cfg(debug_assertions)]
                 if let Some(TestMode::Sleep) = self.test_mode {
                     // For testing, don't start the server at all.
                     std::thread::sleep(std::time::Duration::from_secs(10));
                     return Ok(());
                 }
                 webserver::configure_logger(log.unwrap_or(LevelFilter::Info))?;
-                webserver::main(addr).unwrap();
+                webserver::main(addr, credentials.clone()).unwrap();
             }
             Commands::Start { open } => {
                 // Poll the server to ensure it starts.
@@ -309,6 +313,21 @@ fn port_in_range(s: &str) -> Result<u16, String> {
     }
 }
 
+fn parse_credentials(s: &str) -> Result<Credentials, String> {
+    let split_: Vec<_> = s.split(":").collect();
+    if split_.len() != 2 {
+        Err(format!(
+            "Unable to parse credentials as username:password; found {} colon-separated string(s)",
+            split_.len()
+        ))
+    } else {
+        Ok(Credentials {
+            username: split_[0].to_string(),
+            password: split_[1].to_string(),
+        })
+    }
+}
+
 fn fix_addr(addr: &SocketAddr) -> SocketAddr {
     if addr.ip() == IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)) {
         let mut addr = *addr;

server/src/webserver.rs

@@ -44,8 +44,9 @@ use actix_web::{
     error::Error,
     get,
     http::header::{ContentType, DispositionType},
-    web,
+    middleware, web,
 };
+use actix_web_httpauth::{extractors::basic::BasicAuth, middleware::HttpAuthentication};
 use actix_ws::AggregatedMessage;
 use bytes::Bytes;
 use dunce::simplified;
@@ -284,23 +285,31 @@ struct UpdateMessageContents {
 /// Define the [state](https://actix.rs/docs/application/#state) available to
 /// all endpoints.
 pub struct AppState {
-    // Provide methods to control the server.
+    /// Provide methods to control the server.
     server_handle: Mutex<Option<ServerHandle>>,
-    // The number of the next connection ID to assign.
+    /// The number of the next connection ID to assign.
     connection_id: Mutex<u32>,
-    // The port this server listens on.
+    /// The port this server listens on.
     port: u16,
-    // For each connection ID, store a queue tx for the HTTP server to send
-    // requests to the processing task for that ID.
+    /// For each connection ID, store a queue tx for the HTTP server to send
+    /// requests to the processing task for that ID.
     processing_task_queue_tx: Arc<Mutex<HashMap<String, Sender<ProcessingTaskHttpRequest>>>>,
-    // For each (connection ID, requested URL) store channel to send the
-    // matching response to the HTTP task.
+    /// For each (connection ID, requested URL) store channel to send the
+    /// matching response to the HTTP task.
     filewatcher_client_queues: Arc<Mutex<HashMap<String, WebsocketQueues>>>,
-    // For each connection ID, store the queues for the VSCode IDE.
+    /// For each connection ID, store the queues for the VSCode IDE.
     vscode_ide_queues: Arc<Mutex<HashMap<String, WebsocketQueues>>>,
     vscode_client_queues: Arc<Mutex<HashMap<String, WebsocketQueues>>>,
-    // Connection IDs that are currently in use.
+    /// Connection IDs that are currently in use.
     vscode_connection_id: Arc<Mutex<HashSet<String>>>,
+    /// The auth credentials if authentication is used.
+    credentials: Option<Credentials>,
+}
+
+#[derive(Clone)]
+pub struct Credentials {
+    pub username: String,
+    pub password: String,
 }
 
 // Macros
@@ -1333,32 +1342,69 @@ async fn client_websocket(
 // Webserver core
 // --------------
 #[actix_web::main]
-pub async fn main(addr: &SocketAddr) -> std::io::Result<()> {
-    run_server(addr).await
+pub async fn main(addr: &SocketAddr, credentials: Option<Credentials>) -> std::io::Result<()> {
+    run_server(addr, credentials).await
 }
 
-pub async fn run_server(addr: &SocketAddr) -> std::io::Result<()> {
+pub async fn run_server(
+    addr: &SocketAddr,
+    credentials: Option<Credentials>,
+) -> std::io::Result<()> {
     // Connect to the Capture Database
     //let _event_capture = EventCapture::new("config.json").await?;
 
     // Pre-load the bundled files before starting the webserver.
     let _ = &*BUNDLED_FILES_MAP;
-    let app_data = make_app_data(addr.port());
+    let app_data = make_app_data(addr.port(), credentials);
     let app_data_server = app_data.clone();
-    let server =
-        match HttpServer::new(move || configure_app(App::new(), &app_data_server)).bind(addr) {
-            Ok(server) => server.run(),
-            Err(err) => {
-                error!("Unable to bind to {addr} - {err}");
-                return Err(err);
-            }
-        };
+    let server = match HttpServer::new(move || {
+        let auth = HttpAuthentication::with_fn(basic_validator);
+        configure_app(
+            App::new().wrap(middleware::Condition::new(
+                app_data_server.credentials.is_some(),
+                auth,
+            )),
+            &app_data_server,
+        )
+    })
+    .bind(addr)
+    {
+        Ok(server) => server.run(),
+        Err(err) => {
+            error!("Unable to bind to {addr} - {err}");
+            return Err(err);
+        }
+    };
     // Store the server handle in the global state.
     *(app_data.server_handle.lock().unwrap()) = Some(server.handle());
     // Start the server.
     server.await
 }
 
+// Use HTTP basic authentication (if provided) to mediate access.
+async fn basic_validator(
+    req: ServiceRequest,
+    credentials: BasicAuth,
+) -> Result<ServiceRequest, (Error, ServiceRequest)> {
+    // Get the provided credentials.
+    let expected_credentials = &req
+        .app_data::<actix_web::web::Data<AppState>>()
+        .unwrap()
+        .credentials
+        .as_ref()
+        .unwrap();
+    if credentials.user_id() == expected_credentials.username
+        && credentials.password() == Some(&expected_credentials.password)
+    {
+        Ok(req)
+    } else {
+        Err((
+            actix_web::error::ErrorUnauthorized("Incorrect username or password."),
+            req,
+        ))
+    }
+}
+
 pub fn configure_logger(level: LevelFilter) -> Result<(), Box<dyn std::error::Error>> {
     #[cfg(not(debug_assertions))]
     let l4rs = ROOT_PATH.clone();
@@ -1383,7 +1429,7 @@ pub fn configure_logger(level: LevelFilter) -> Result<(), Box<dyn std::error::Er
 // closure passed to `HttpServer::new` and moved/cloned in." Putting this code
 // inside `configure_app` places it inside the closure which calls
 // `configure_app`, preventing globally shared state.
-fn make_app_data(port: u16) -> web::Data<AppState> {
+fn make_app_data(port: u16, credentials: Option<Credentials>) -> web::Data<AppState> {
     web::Data::new(AppState {
         server_handle: Mutex::new(None),
         connection_id: Mutex::new(0),
@@ -1393,6 +1439,7 @@ fn make_app_data(port: u16) -> web::Data<AppState> {
         vscode_ide_queues: Arc::new(Mutex::new(HashMap::new())),
         vscode_client_queues: Arc::new(Mutex::new(HashMap::new())),
         vscode_connection_id: Arc::new(Mutex::new(HashSet::new())),
+        credentials,
     })
 }
 

server/src/webserver/filewatcher.rs

@@ -757,7 +757,7 @@ mod tests {
         WebsocketQueues,
         impl Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error> + use<>,
     ) {
-        let app_data = make_app_data(IP_PORT);
+        let app_data = make_app_data(IP_PORT, None);
         let app = test::init_service(configure_app(App::new(), &app_data)).await;
 
         // Load in a test source file to create a websocket.

server/src/webserver/vscode/tests.rs

@@ -66,7 +66,7 @@ use crate::{
 lazy_static! {
     // Run a single webserver for all tests.
     static ref WEBSERVER_HANDLE: JoinHandle<Result<(), Error>> =
-        actix_rt::spawn(async move { run_server(&SocketAddr::new("127.0.0.1".parse().unwrap(), IP_PORT)).await });
+        actix_rt::spawn(async move { run_server(&SocketAddr::new("127.0.0.1".parse().unwrap(), IP_PORT), None).await });
 }
 
 // Send a message via a websocket.