Skip to content

Commit

Permalink
Merge pull request #15720 from craftcms/feature/http-basic-auth
Browse files Browse the repository at this point in the history
Basic HTTP authentication filters
  • Loading branch information
brandonkelly authored Sep 19, 2024
2 parents 2e73130 + 52826ec commit 61d6821
Show file tree
Hide file tree
Showing 6 changed files with 175 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG-WIP.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,7 @@

### Extensibility
- Added `craft\base\RequestTrait::getIsWebRequest()`. ([#15690](https://github.com/craftcms/cms/pull/15690))
- Added `craft\filters\BasicHttpAuthLogin`. ([#15720](https://github.com/craftcms/cms/pull/15720))
- Added `craft\filters\BasicHttpAuthStatic`. ([#15720](https://github.com/craftcms/cms/pull/15720))
- Added `craft\filters\SiteFilterTrait::$enabled`. ([#15720](https://github.com/craftcms/cms/pull/15720))
- Deprecated the `enableBasicHttpAuth` config setting. `craft\filters\BasicHttpAuthLogin` should be used instead. ([#15720](https://github.com/craftcms/cms/pull/15720))
1 change: 1 addition & 0 deletions src/config/GeneralConfig.php
Original file line number Diff line number Diff line change
Expand Up @@ -1071,6 +1071,7 @@ class GeneralConfig extends BaseConfig
*
* @group Security
* @since 3.5.0
* @deprecated in 4.13.0. [[\craft\filters\BasicHttpAuthLogin]] should be used instead.
*/
public bool $enableBasicHttpAuth = false;

Expand Down
57 changes: 57 additions & 0 deletions src/filters/BasicHttpAuthLogin.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
<?php
/**
* @link https://craftcms.com/
* @copyright Copyright (c) Pixel & Tonic, Inc.
* @license https://craftcms.github.io/license/
*/

namespace craft\filters;

use Craft;
use craft\elements\User;
use yii\filters\auth\HttpBasicAuth;
use yii\web\IdentityInterface;

/**
* Filter for adding basic HTTP authentication user credentials to site requests.
*
* @see https://www.yiiframework.com/doc/api/2.0/yii-filters-auth-httpbasicauth
* @author Pixel & Tonic, Inc. <[email protected]>
* @since 4.13.0
*/
class BasicHttpAuthLogin extends HttpBasicAuth
{
use SiteFilterTrait, BasicHttpAuthTrait;

/**
* @inheritdoc
*/
public $realm;

/**
* @inheritdoc
*/
public function __construct($config = [])
{
parent::__construct($config + [
'auth' => [$this, 'auth'],
'realm' => Craft::$app->getSystemName(),
]);
}

protected function auth($username, $password): ?IdentityInterface
{
if (!$username || !$password) {
return null;
}

$user = User::find()->username($username)->one();
$identity = $user?->findIdentity($user->id);

if ($identity && Craft::$app->getSecurity()->validatePassword($password, $identity->password)) {
return $identity;
}

return null;
}
}
73 changes: 73 additions & 0 deletions src/filters/BasicHttpAuthStatic.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
<?php
/**
* @link https://craftcms.com/
* @copyright Copyright (c) Pixel & Tonic, Inc.
* @license https://craftcms.github.io/license/
*/

namespace craft\filters;

use Craft;
use craft\helpers\App;
use yii\base\InvalidConfigException;
use yii\filters\auth\HttpBasicAuth;

/**
* Filter for adding basic HTTP authentication with static credentials to site requests.
*
* @see https://www.yiiframework.com/doc/api/2.0/yii-filters-auth-httpbasicauth
* @author Pixel & Tonic, Inc. <[email protected]>
* @since 4.13.0
*/
class BasicHttpAuthStatic extends HttpBasicAuth
{
use SiteFilterTrait, BasicHttpAuthTrait;

public ?string $username = null;
public ?string $password = null;

/**
* @inheritdoc
*/
public $realm;

/**
* @inheritDoc
*/
public function __construct($config = [])
{
parent::__construct($config + [
'username' => App::env('CRAFT_HTTP_BASIC_AUTH_USERNAME'),
'password' => App::env('CRAFT_HTTP_BASIC_AUTH_PASSWORD'),
'realm' => Craft::$app->getSystemName(),
]);
}

/**
* @inheritDoc
*/
public function beforeAction($action): bool
{
if (!$this->username || !$this->password) {
throw new InvalidConfigException('Basic authentication is not configured.');
}

$currentUser = Craft::$app->getUser()->getIdentity();

if ($currentUser) {
return true;
}

list($username, $password) = Craft::$app->getRequest()->getAuthCredentials();

if ($username === $this->username && $password === $this->password) {
return true;
}

$response = Craft::$app->getResponse();
$this->challenge($response);
$this->handleFailure($response);

return false;
}
}
33 changes: 33 additions & 0 deletions src/filters/BasicHttpAuthTrait.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<?php
/**
* @link https://craftcms.com/
* @copyright Copyright (c) Pixel & Tonic, Inc.
* @license https://craftcms.github.io/license/
*/

namespace craft\filters;

use Craft;
use yii\web\UnauthorizedHttpException;

/**
* Trait BasicHttpAuthTrait
*
* @author Pixel & Tonic, Inc. <[email protected]>
* @since 4.13.0
*/
trait BasicHttpAuthTrait
{
/**
* Detach behavior and manually handle exception so error handling
* isn't called recursively when already handling an exception (e.g. 404s)
*/
public function handleFailure($response): void
{
$this->detach();

Craft::$app->getErrorHandler()->handleException(
new UnauthorizedHttpException('Your request was made with invalid credentials.'),
);
}
}
8 changes: 7 additions & 1 deletion src/filters/SiteFilterTrait.php
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@
*/
trait SiteFilterTrait
{
/**
* @var bool Whether the filter should be enabled.
* @since 4.13.0
*/
public bool $enabled = true;

private null|array $siteIds = null;

protected function isActive(mixed $action): bool
Expand All @@ -29,7 +35,7 @@ protected function isActive(mixed $action): bool
return false;
}

return $this->isCurrentSiteActive();
return $this->enabled && $this->isCurrentSiteActive();
}

protected function setSite(null|array|int|string|Site $value): void
Expand Down

0 comments on commit 61d6821

Please sign in to comment.