Skip basic auth when auth token is set (#511)

rafiramadhana · web-flow · commit 22f3138a75b8 · 2024-01-01T14:52:32.000+09:00
* Skip basic auth when auth token is set

In addition, I also rename basicAuth to authBasic for naming consistency with authToken.

* Rename test
diff --git a/service/frontend/middleware/basic_auth.go b/service/frontend/middleware/basic_auth.go
@@ -0,0 +1,28 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5/middleware"
+)
+
+func BasicAuth(realm string, creds map[string]string) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			authHeader := strings.Split(r.Header.Get("Authorization"), " ")
+			if skipBasicAuth(authHeader) {
+				next.ServeHTTP(w, r)
+				return
+			}
+			middleware.BasicAuth("restricted", creds)(next).ServeHTTP(w, r)
+		})
+	}
+}
+
+// skipBasicAuth skips basic auth middleware when the auth token is set
+func skipBasicAuth(authHeader []string) bool {
+	return authToken != nil &&
+		len(authHeader) >= 2 &&
+		authHeader[0] == "Bearer"
+}
diff --git a/service/frontend/middleware/basic_auth_test.go b/service/frontend/middleware/basic_auth_test.go
@@ -0,0 +1,69 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestBasicAuth(t *testing.T) {
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("OK"))
+	})
+	fakeAuthHeader := "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva"
+	fakeAuthToken := AuthToken{
+		Token: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva",
+	}
+	testCase := []struct {
+		name       string
+		authHeader string
+		authToken  *AuthToken
+		httpStatus int
+	}{
+		{
+			name:       "auth header set, auth token set",
+			authHeader: fakeAuthHeader,
+			authToken:  &fakeAuthToken,
+			httpStatus: http.StatusOK,
+		},
+		{
+			name:       "auth header set, auth token unset",
+			authHeader: fakeAuthHeader,
+			authToken:  nil,
+			httpStatus: http.StatusUnauthorized,
+		},
+		{
+			name:       "auth header unset, auth token set",
+			authHeader: "",
+			authToken:  &fakeAuthToken,
+			httpStatus: http.StatusUnauthorized,
+		},
+		{
+			name:       "auth header unset, auth token unset",
+			authHeader: "",
+			authToken:  nil,
+			httpStatus: http.StatusUnauthorized,
+		},
+	}
+	// incorrectCreds triggers HTTP 401 Unauthorized upon basic auth
+	incorrectCreds := map[string]string{
+		"INCORRECT_USERNAME": "INCORRECT_PASSWORD",
+	}
+	for _, tc := range testCase {
+		t.Run(tc.name, func(t *testing.T) {
+			r, err := http.NewRequest("GET", "/test", nil)
+			require.NoError(t, err)
+			r.Header.Add("Authorization", tc.authHeader)
+			w := httptest.NewRecorder()
+			authToken = tc.authToken
+			BasicAuth(
+				"restricted",
+				incorrectCreds,
+			)(testHandler).ServeHTTP(w, r)
+			require.Equal(t, tc.httpStatus, w.Result().StatusCode)
+		})
+	}
+}
diff --git a/service/frontend/middleware/global.go b/service/frontend/middleware/global.go
@@ -17,9 +17,10 @@ func SetupGlobalMiddleware(handler http.Handler) http.Handler {
 		next = TokenAuth("restricted", authToken.Token)(next)
 	}
 
-	if basicAuth != nil {
-		next = middleware.BasicAuth(
-			"restricted", map[string]string{basicAuth.Username: basicAuth.Password},
+	if authBasic != nil {
+		next = BasicAuth(
+			"restricted",
+			map[string]string{authBasic.Username: authBasic.Password},
 		)(next)
 	}
 	next = prefixChecker(next)
@@ -29,17 +30,17 @@ func SetupGlobalMiddleware(handler http.Handler) http.Handler {
 
 var (
 	defaultHandler http.Handler
-	basicAuth      *BasicAuth
+	authBasic      *AuthBasic
 	authToken      *AuthToken
 )
 
 type Options struct {
 	Handler   http.Handler
-	BasicAuth *BasicAuth
+	AuthBasic *AuthBasic
 	AuthToken *AuthToken
 }
 
-type BasicAuth struct {
+type AuthBasic struct {
 	Username string
 	Password string
 }
@@ -50,7 +51,7 @@ type AuthToken struct {
 
 func Setup(opts *Options) {
 	defaultHandler = opts.Handler
-	basicAuth = opts.BasicAuth
+	authBasic = opts.AuthBasic
 	authToken = opts.AuthToken
 }
 
diff --git a/service/frontend/server/server.go b/service/frontend/server/server.go
@@ -91,7 +91,7 @@ func (svr *Server) Serve(ctx context.Context) (err error) {
 		}
 	}
 	if svr.basicAuth != nil {
-		middlewareOptions.BasicAuth = &pkgmiddleware.BasicAuth{
+		middlewareOptions.AuthBasic = &pkgmiddleware.AuthBasic{
 			Username: svr.basicAuth.Username,
 			Password: svr.basicAuth.Password,
 		}

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ func (svr *Server) Serve(ctx context.Context) (err error) {`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`	`if svr.basicAuth != nil {`
`94`		`- middlewareOptions.BasicAuth = &pkgmiddleware.BasicAuth{`
	`94`	`+ middlewareOptions.AuthBasic = &pkgmiddleware.AuthBasic{`
`95`	`95`	`Username: svr.basicAuth.Username,`
`96`	`96`	`Password: svr.basicAuth.Password,`
`97`	`97`	`}`