feat(wrtagweb): add web-auth flag to control interface authentication

closes #172
closes #170

Author: sentriz

README.md

@@ -169,7 +169,7 @@ flowchart LR
 
 Jobs are added to the queue with an HTTP request like `POST <wrtag.host>/op/<copy|move|reflink>` with form value `path=<absolute path to directory>`. Optional form value `mbid=<musicbrainz release URL>` can be supplied if you know your release. Both of the form values can be `application/x-www-form-urlencoded` form bodies, or URL query parameters.
 
-Authentication is done via a HTTP Basic authentication password **without a username**. The password is configured with the `web-api-key` config option.
+The external API requires HTTP Basic authentication with `-web-api-key` as the password (no username). The web UI authentication is controlled by `-web-auth`: either `disabled`, or `basic-auth-from-api-key` (the default) which uses the same API key.
 
 > [!WARNING]
 > HTTP Basic Authentication is only as secure as the transport layer it runs on. Make sure `wrtagweb` is secured using TLS behind your reverse proxy.
@@ -271,13 +271,14 @@ Configuration for `wrtagweb` works the same as [Global configuration](#global-co
 
 <!-- gen with ```go run ./cmd/wrtagweb -h 2>&1 | ./gen-docs | wl-copy``` -->
 
-| CLI argument     | Environment variable  | Config file key | Description                                                   |
-| ---------------- | --------------------- | --------------- | ------------------------------------------------------------- |
-| -web-api-key     | WRTAG_WEB_API_KEY     | web-api-key     | API key for web interface                                     |
-| -web-db-path     | WRTAG_WEB_DB_PATH     | web-db-path     | Path to persistent database path for web interface (optional) |
-| -web-listen-addr | WRTAG_WEB_LISTEN_ADDR | web-listen-addr | Listen address for web interface (optional) (default ":7373") |
-| -web-num-workers | WRTAG_WEB_NUM_WORKERS | web-num-workers | Number of directories to process concurrently                 |
-| -web-public-url  | WRTAG_WEB_PUBLIC_URL  | web-public-url  | Public URL for web interface (optional)                       |
+| CLI argument     | Environment variable  | Config file key | Description                                                                                                      |
+| ---------------- | --------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------- |
+| -web-api-key     | WRTAG_WEB_API_KEY     | web-api-key     | Key for external API endpoints                                                                                   |
+| -web-auth        | WRTAG_WEB_AUTH        | web-auth        | Authentication mode, one of "disabled", "basic-auth-from-api-key" (optional) (default "basic-auth-from-api-key") |
+| -web-db-path     | WRTAG_WEB_DB_PATH     | web-db-path     | Path to persistent database path for web interface (optional)                                                    |
+| -web-listen-addr | WRTAG_WEB_LISTEN_ADDR | web-listen-addr | Listen address for web interface (optional) (default ":7373")                                                    |
+| -web-num-workers | WRTAG_WEB_NUM_WORKERS | web-num-workers | Number of directories to process concurrently (default 4)                                                        |
+| -web-public-url  | WRTAG_WEB_PUBLIC_URL  | web-public-url  | Public URL for web interface (optional)                                                                          |
 
 ## Tool `metadata`
 

cmd/wrtagweb/main.go

@@ -65,7 +65,8 @@ func main() {
 		cfg                 = wrtagflag.Config()
 		notifs              = wrtagflag.Notifications()
 		researchLinkQuerier = wrtagflag.ResearchLinks()
-		apiKey              = flag.String("web-api-key", "", "API key for web interface")
+		apiKey              = flag.String("web-api-key", "", "Key for external API endpoints")
+		auth                = flag.String("web-auth", string(authBasicFromAPIKey), "Authentication mode, one of \"disabled\", \"basic-auth-from-api-key\" (optional)")
 		listenAddr          = flag.String("web-listen-addr", ":7373", "Listen address for web interface (optional)")
 		dbPath              = flag.String("web-db-path", "", "Path to persistent database path for web interface (optional)")
 		publicURL           = flag.String("web-public-url", "", "Public URL for web interface (optional)")
@@ -87,6 +88,13 @@ func main() {
 		return
 	}
 
+	switch ath := authMode(*auth); ath {
+	case authDisabled, authBasicFromAPIKey:
+	default:
+		slog.Error("unknown auth mode", "value", ath)
+		return
+	}
+
 	if *dbPath == "" {
 		tmpf, err := os.CreateTemp("", "wrtagweb*.db")
 		if err != nil {
@@ -292,8 +300,17 @@ func main() {
 
 	mux.Handle("/", http.FileServer(http.FS(ui)))
 
+	mux.HandleFunc("GET /debug/pprof/", pprof.Index)
+	mux.HandleFunc("GET /debug/pprof/*", pprof.Index)
+	mux.HandleFunc("GET /debug/pprof/cmdline", pprof.Cmdline)
+	mux.HandleFunc("GET /debug/pprof/profile", pprof.Profile)
+	mux.HandleFunc("GET /debug/pprof/symbol", pprof.Symbol)
+	mux.HandleFunc("GET /debug/pprof/trace", pprof.Trace)
+
 	// external API
-	mux.HandleFunc("POST /op/{operation}", func(w http.ResponseWriter, r *http.Request) {
+	muxExternal := http.NewServeMux()
+
+	muxExternal.HandleFunc("POST /op/{operation}", func(w http.ResponseWriter, r *http.Request) {
 		operationStr := r.PathValue("operation")
 		if _, err := wrtagflag.OperationByName(operationStr, false); err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
@@ -326,23 +343,19 @@ func main() {
 		jobQueue <- job.ID
 	})
 
-	mux.HandleFunc("GET /debug/pprof/", pprof.Index)
-	mux.HandleFunc("GET /debug/pprof/*", pprof.Index)
-	mux.HandleFunc("GET /debug/pprof/cmdline", pprof.Cmdline)
-	mux.HandleFunc("GET /debug/pprof/profile", pprof.Profile)
-	mux.HandleFunc("GET /debug/pprof/symbol", pprof.Symbol)
-	mux.HandleFunc("GET /debug/pprof/trace", pprof.Trace)
-
 	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
 	defer cancel()
 	errgrp, ctx := errgroup.WithContext(ctx)
 
 	errgrp.Go(func() error {
 		defer logJob("http", "addr", *listenAddr)()
 
+		m := http.NewServeMux()
+		m.Handle("/", authMiddleware(mux, authMode(*auth), *apiKey))
+		m.Handle("/op/", apiKeyMiddleware(muxExternal, *apiKey))
+
 		var h http.Handler
-		h = mux
-		h = authMiddleware(h, *apiKey)
+		h = m
 		h = logMiddleware(h)
 
 		server := &http.Server{
@@ -599,9 +612,24 @@ func logJob(jobName string, args ...any) func() {
 	return func() { slog.Info("stopping job", "job", jobName) }
 }
 
+type authMode string
+
+const (
+	authDisabled        authMode = "disabled"
+	authBasicFromAPIKey authMode = "basic-auth-from-api-key" //nolint:gosec
+)
+
 const cookieKey = "api-key"
 
-func authMiddleware(next http.Handler, apiKey string) http.Handler {
+func authMiddleware(next http.Handler, mode authMode, apiKey string) http.Handler {
+	switch mode {
+	case authDisabled:
+		return next
+	case authBasicFromAPIKey:
+	default:
+		panic("invalid mode")
+	}
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// exchange a valid basic auth request for a cookie that lasts 30 days
 		if cookie, _ := r.Cookie(cookieKey); cookie != nil && subtle.ConstantTimeCompare([]byte(cookie.Value), []byte(apiKey)) == 1 {
@@ -618,6 +646,16 @@ func authMiddleware(next http.Handler, apiKey string) http.Handler {
 	})
 }
 
+func apiKeyMiddleware(next http.Handler, apiKey string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if _, key, _ := r.BasicAuth(); subtle.ConstantTimeCompare([]byte(key), []byte(apiKey)) == 1 {
+			next.ServeHTTP(w, r)
+			return
+		}
+		http.Error(w, "unauthorised", http.StatusUnauthorized)
+	})
+}
+
 func logMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		slog.InfoContext(r.Context(), "request", "url", r.URL)

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/rogpeppe/go-internal v1.14.1
 	github.com/sergi/go-diff v1.4.0
 	github.com/stretchr/testify v1.11.1
-	go.senan.xyz/flagconf v0.1.10
+	go.senan.xyz/flagconf v0.1.11
 	go.senan.xyz/natcmp v0.1.2
 	go.senan.xyz/sqlb v0.3.11
 	go.senan.xyz/table v0.0.0-20251023151529-96acc7f0ad6c

go.sum

@@ -71,8 +71,8 @@ github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD
 github.com/tetratelabs/wazero v1.11.0 h1:+gKemEuKCTevU4d7ZTzlsvgd1uaToIDtlQlmNbwqYhA=
 github.com/tetratelabs/wazero v1.11.0/go.mod h1:eV28rsN8Q+xwjogd7f4/Pp4xFxO7uOGbLcD/LzB1wiU=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.senan.xyz/flagconf v0.1.10 h1:IGWaX9z4uh03xopYJSwpw1u0KrwRWs8vDmFjaULFH3U=
-go.senan.xyz/flagconf v0.1.10/go.mod h1:NqOFfSwJvNWXOTUabcRZ8mPK9+sJmhStJhqtEt74wNQ=
+go.senan.xyz/flagconf v0.1.11 h1:ApA9DpoSrfVQlLt8spKJC3fOT7oTEZ2/MmBGMnb9mt4=
+go.senan.xyz/flagconf v0.1.11/go.mod h1:NqOFfSwJvNWXOTUabcRZ8mPK9+sJmhStJhqtEt74wNQ=
 go.senan.xyz/natcmp v0.1.2 h1:ko7umA435ZyrNtNZeAvBOWzxct9RaXdie7XC1rWhD84=
 go.senan.xyz/natcmp v0.1.2/go.mod h1:OuIIjIsyj2PwVqCtfzqTeplsZhSXGjm4okZei78Bck4=
 go.senan.xyz/sqlb v0.3.11 h1:uSfFZmtiUUyPddAYf/1rJqcgZIMeONagIxBWlmYyO9w=