htpasswd utility support about go-http-auth HOT 7 CLOSED

go-http-auth is supposed to support htpasswd-generated files out of the box. Can you post an example password line from your file, say, for user test and password topsecret?

from go-http-auth.

Here is the entry for test:topsecret that my htpasswd app produces:

test:$apr1$JI4wh3am$AmhephVqLTUyAVpFQeHZC0

I did a good deal more digging on my end and now understand how htpasswd works. Knowing what I know now my comments regarding the salt were clearly wrong. I've also compared the go-http-auth code to the htpasswd source code and the algorithms look the same. At this point I'm pretty much stumped so any help will be greatly appreciated.

For what it's worth this is the final result that go-http-auth produces for the comparison to what is in the file:

$apr1$JI4wh3am$SmrzMRJpP7nrXzmMF2QAn/

Thanks.

from go-http-auth.

That's interesting. Please see 46b9627 which adds your example password to test cases (with tests still passing). I'm not sure the issue is exactly in apr1 md5crypt implementation. Can you describe your setup in more detail, or better provide a minimal failing example?

from go-http-auth.

I'm running Ubuntu 14.04 and using go 1.4.2. I've got the go-http-auth source from master. Only modifications I've made are for adding log messages.

Here is a very simple example go app:

package main

import (
    "flag"
    auth "github.com/abbot/go-http-auth"
    "github.com/gorilla/mux"
    "log"
    "net/http"
    "time"
)

func main() {
    var passwordFile, staticDir string

    flag.StringVar(&staticDir, "static-dir", "", "The directory containing static content to be served.")
    flag.StringVar(&passwordFile, "password-file", "htpasswd", "The path to the password file that should match the format of htpasswd.")
    flag.Parse()
    if len(staticDir) == 0 {
        log.Fatalf("static-dir must be provided")
    }

    log.Printf("staticDir = %s", staticDir)

    secrets := auth.HtpasswdFileProvider(passwordFile)
    authenticator := auth.NewBasicAuthenticator("gitrest", secrets)

    r := mux.NewRouter().StrictSlash(false)
    r.PathPrefix("/").Handler(http.FileServer(http.Dir(staticDir)))
    http.Handle("/", authenticator.Wrap(func(w http.ResponseWriter, ar *auth.AuthenticatedRequest) {
        r.ServeHTTP(w, &ar.Request)
    }))
    s := &http.Server{
        Addr:           ":8080",
        ReadTimeout:    10 * time.Second,
        WriteTimeout:   10 * time.Second,
        MaxHeaderBytes: 1 << 20,
    }
    log.Fatal(s.ListenAndServe())
}

from go-http-auth.

Still can't reproduce.

Clone https://gist.github.com/abbot/a30e91ffec76934c6fbc and run run_server.sh in one terminal, test.sh in other terminal. Works as expected for me.

from go-http-auth.

I solved my problem. And it was my problem. In the process learned more about HTTP Basic Auth than I ever thought I would.

Problem stemmed from my use of the base64 Mac command line program that base64 encodes using RFC 4648, not the HTTP required RFC 2045.

My confusion was compounded by the debugging messages I put into the go-http-auth library that was hiding the existence of a newline in the decoded password. So, the strings looked the same from go-http-auth even though the one encoded with RFC 4648 had the offending newline.

Anyway, working now. Many thanks for the help and for providing this library.

from go-http-auth.

Unless I'm terribly mistaken, base64 encoding as defined in rfc4648 is no different from rfc2045 (and rfc4648 states that it's version is derived from rfc2045 and related work). The trailing newline was the problem. Good to see this resolved.

from go-http-auth.