Support HTTP BasicAuth for authentication if $AUTH_USER is set

src/node/cli.ts

@@ -12,6 +12,7 @@ export enum Feature {
 
 export enum AuthType {
   Password = "password",
+  HttpBasic = "http-basic",
   None = "none",
 }
 
@@ -65,6 +66,7 @@ export interface UserProvidedCodeArgs {
 export interface UserProvidedArgs extends UserProvidedCodeArgs {
   config?: string
   auth?: AuthType
+  "auth-user"?: string
   password?: string
   "hashed-password"?: string
   cert?: OptionalString
@@ -137,6 +139,10 @@ export type Options<T> = {
 
 export const options: Options<Required<UserProvidedArgs>> = {
   auth: { type: AuthType, description: "The type of authentication to use." },
+  "auth-user": {
+     type: "string", 
+     description: "The username for http-basic authentication."
+  },
   password: {
     type: "string",
     description: "The password for password authentication (can only be passed in via $PASSWORD or the config file).",
@@ -569,6 +575,10 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
   if (process.env.PASSWORD) {
     args.password = process.env.PASSWORD
   }
+  if (process.env.AUTH_USER) {
+    args["auth"] = AuthType.HttpBasic
+    args["auth-user"] = process.env.AUTH_USER
+  }
 
   if (process.env.CS_DISABLE_FILE_DOWNLOADS?.match(/^(1|true)$/)) {
     args["disable-file-downloads"] = true

src/node/http.ts

@@ -111,6 +111,25 @@ export const ensureAuthenticated = async (
   }
 }
 
+/**
+ * Validate basic auth credentials.
+ */
+const validateBasicAuth = (authHeader: string | undefined, authUser: string | undefined, authPassword: string | undefined): boolean => {
+  if (!authHeader?.startsWith('Basic ')) {
+    return false;
+  }
+
+  try {
+    const base64Credentials = authHeader.split(' ')[1];
+    const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');
+    const [username, password] = credentials.split(':');
+    return username === authUser && password === authPassword;
+  } catch (error) {
+    logger.error('Error validating basic auth:' + error);
+    return false;
+  }
+};
+
 /**
  * Return true if authenticated via cookies.
  */
@@ -132,6 +151,9 @@ export const authenticated = async (req: express.Request): Promise<boolean> => {
 
       return await isCookieValid(isCookieValidArgs)
     }
+    case AuthType.HttpBasic: {
+      return validateBasicAuth(req.headers.authorization, req.args["auth-user"], req.args.password);
+    }
     default: {
       throw new Error(`Unsupported auth type ${req.args.auth}`)
     }

src/node/main.ts

@@ -142,6 +142,10 @@ export const runCodeServer = async (
     } else {
       logger.info(`    - Using password from ${args.config}`)
     }
+  } else if (args.auth === AuthType.HttpBasic) {
+    logger.info("  - HTTP basic authentication is enabled")
+    logger.info("    - Using user from $AUTH_USER")
+    logger.info("    - Using password from $PASSWORD")
   } else {
     logger.info("  - Authentication is disabled")
   }

src/node/routes/domainProxy.ts

@@ -3,6 +3,7 @@ import { HttpCode, HttpError } from "../../common/http"
 import { getHost, ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy } from "../proxy"
 import { Router as WsRouter } from "../wsRouter"
+import { AuthType } from "../cli"
 
 export const router = Router()
 
@@ -78,6 +79,10 @@ router.all(/.*/, async (req, res, next) => {
       if (/\/login\/?/.test(req.path)) {
         return next()
       }
+      // If auth is HttpBasic, return a 401.
+      if (req.args.auth === AuthType.HttpBasic) {
+        throw new HttpError("Unauthorized", HttpCode.Unauthorized)
+      }
       // Redirect all other pages to the login.
       const to = self(req)
       return redirect(req, res, "login", {

src/node/routes/pathProxy.ts

@@ -4,6 +4,7 @@ import * as pluginapi from "../../../typings/pluginapi"
 import { HttpCode, HttpError } from "../../common/http"
 import { ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy as _proxy } from "../proxy"
+import { AuthType } from "../cli"
 
 const getProxyTarget = (
   req: Request,
@@ -28,7 +29,7 @@ export async function proxy(
 
   if (!(await authenticated(req))) {
     // If visiting the root (/:port only) redirect to the login page.
-    if (!req.params.path || req.params.path === "/") {
+    if ((!req.params.path || req.params.path === "/") && req.args.auth !== AuthType.HttpBasic) {
       const to = self(req)
       return redirect(req, res, "login", {
         to: to !== "/" ? to : undefined,

src/node/routes/vscode.ts

@@ -7,12 +7,13 @@ import * as net from "net"
 import * as path from "path"
 import { WebsocketRequest } from "../../../typings/pluginapi"
 import { logError } from "../../common/util"
-import { CodeArgs, toCodeArgs } from "../cli"
+import { AuthType, CodeArgs, toCodeArgs } from "../cli"
 import { isDevMode, vsRootPath } from "../constants"
 import { authenticated, ensureAuthenticated, ensureOrigin, redirect, replaceTemplates, self } from "../http"
 import { SocketProxyProvider } from "../socket"
 import { isFile } from "../util"
 import { Router as WsRouter } from "../wsRouter"
+import { HttpCode, HttpError } from "../../common/http"
 
 export const router = express.Router()
 
@@ -118,6 +119,11 @@ router.get("/", ensureVSCodeLoaded, async (req, res, next) => {
   const FOLDER_OR_WORKSPACE_WAS_CLOSED = req.query.ew
 
   if (!isAuthenticated) {
+    // If auth is HttpBasic, return a 401.
+    if (req.args.auth === AuthType.HttpBasic) {
+      res.setHeader('WWW-Authenticate', 'Basic realm="Access to the site"')
+      throw new HttpError("Unauthorized", HttpCode.Unauthorized)
+    };
     const to = self(req)
     return redirect(req, res, "login", {
       to: to !== "/" ? to : undefined,