Support htpasswd

[aitjcize]

Support htpasswd and allow multiple accounts.

This project https://github.com/abbot/go-http-auth does support htpasswd, but it does not support wrapping http.Handler.

[elithrar]

Thanks for bringing this up. I'm flat out for the next month or so and won't have a chance to implement but am open to PRs.

If anything, I'd probably allow the user to specify the accounts file because .htaccess is an "Apache-ism" and not defined as part of RFC2617.

A rough to-do list would be:

• Extend AuthOptions to contain an "UserFile" field that takes the path (location) of the user:password combinations
• Support either multiple {scheme}{hash} formats for passwords, or (preferably) just bcrypt
• Determine how to fit the existing User/Password fields into this - do we count them as 'another' user, or ignore them when UserFile is a not empty string?

[elithrar]

I'm planning to get a draft of this up this weekend. Thus far:

• A UserFile string field added to the AuthOptions struct. This will contain the full path to the file.
• The file will contain username:password:comment pairs as per nginx
• Supported hashes/KDFs for passwords are up in the air. I would very much prefer to support KDFs only (bcrypt, scrypt, PBKDF2-HMAC-SHA256) because although HTTP Basic Auth should only be a temporary/internal solution, I have no doubts that some people will use this middleware on production sites and/or not properly secure their password file. The issue is that only bcrypt stores the params in the output as standard.

[alexanderbez]

Hey @elithrar, still looking for help on this one?

[elithrar]

Definitely!

On Mon, Nov 21, 2016 at 11:18 AM Alexander Bezobchuk <
[email protected]> wrote:

Hey @elithrar https://github.com/elithrar, still looking for help on
this one?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#10 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AABIcK70Vx_pjzWQY1CiLAi5QgBbDxupks5rAe5ggaJpZM4Dx0XZ
.