asim · asim · May 29, 2024 · May 29, 2024 · May 29, 2024
diff --git a/README.md b/README.md
@@ -33,6 +33,8 @@ Flags
 
 ```
 Usage of ./git-http-backend:
+  -require_auth bool
+        set require auth enable/disable
   -auth_pass_env_var string
         set an env var to provide the basic auth pass as
   -auth_user_env_var string
@@ -97,4 +99,4 @@ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-```
+```````
diff --git a/main.go b/main.go
@@ -9,6 +9,7 @@ import (
 )
 
 func init() {
+  flag.BoolVar(&server.DefaultConfig.RequireAuth, "require_auth", server.DefaultConfig.RequireAuth, "enable basic auth")
 	flag.StringVar(&server.DefaultConfig.AuthPassEnvVar, "auth_pass_env_var", server.DefaultConfig.AuthPassEnvVar, "set an env var to provide the basic auth pass as")
 	flag.StringVar(&server.DefaultConfig.AuthUserEnvVar, "auth_user_env_var", server.DefaultConfig.AuthUserEnvVar, "set an env var to provide the basic auth user as")
 	flag.StringVar(&server.DefaultConfig.DefaultEnv, "default_env", server.DefaultConfig.DefaultEnv, "set the default env")

diff --git a/server/server.go b/server/server.go
@@ -23,6 +23,7 @@ type Service struct {
 }
 
 type Config struct {
+  RequireAuth    bool
 	AuthPassEnvVar string
 	AuthUserEnvVar string
 	DefaultEnv     string
@@ -46,6 +47,7 @@ var (
 	DefaultAddress = ":8080"
 
 	DefaultConfig = Config{
+    RequireAuth:    false,
 		AuthPassEnvVar: "",
 		AuthUserEnvVar: "",
 		DefaultEnv:     "",
@@ -211,7 +213,19 @@ func getInfoRefs(hr HandlerReq) {
 	service_name := getServiceType(r)
 	access := hasAccess(r, dir, service_name, false)
 	version := r.Header.Get("Git-Protocol")
-	if access {
+
+  user, password, authok := r.BasicAuth()
+  if DefaultConfig.RequireAuth && !authok {
+    renderAuthRequire(w)
+    return
+  }
+
+  if authok && user != DefaultConfig.AuthUserEnvVar && password != DefaultConfig.AuthPassEnvVar {
+    w.WriteHeader(http.StatusUnauthorized)
+    return
+  }
+
+  if access {
 		args := []string{service_name, "--stateless-rpc", "--advertise-refs", "."}
 		refs := gitCommand(dir, version, args...)
 
@@ -387,6 +401,13 @@ func renderNoAccess(w http.ResponseWriter) {
 	w.Write([]byte("Forbidden"))
 }
 
+func renderAuthRequire(w http.ResponseWriter) {
+  w.Header().Add("Content-Type", "text/plain")
+  w.Header().Add("WWW-Authenticate", "Basic realm=\"authorization needed\"")
+  w.WriteHeader(http.StatusUnauthorized)
+  w.Write([]byte("401 Unauthorized"))
+}
+
 // Packet-line handling function
 
 func packetFlush() []byte {