inline basic-auth module

package-lock.json

@@ -16,7 +16,6 @@
         "@smithy/node-http-handler": "^4.0.2",
         "@smithy/util-retry": "^4.0.1",
         "async": "^3.2.6",
-        "basic-auth": "^2.0.1",
         "cloudron-manifestformat": "^5.26.2",
         "connect": "^3.7.0",
         "connect-lastmile": "^2.2.0",
@@ -2921,16 +2920,6 @@
       "version": "1.3.1",
       "license": "MIT"
     },
-    "node_modules/basic-auth": {
-      "version": "2.0.1",
-      "license": "MIT",
-      "dependencies": {
-        "safe-buffer": "5.1.2"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
     "node_modules/bcrypt-pbkdf": {
       "version": "1.0.2",
       "license": "BSD-3-Clause",

package.json

@@ -24,7 +24,6 @@
     "@smithy/node-http-handler": "^4.0.2",
     "@smithy/util-retry": "^4.0.1",
     "async": "^3.2.6",
-    "basic-auth": "^2.0.1",
     "cloudron-manifestformat": "^5.26.2",
     "connect": "^3.7.0",
     "connect-lastmile": "^2.2.0",

src/proxyauth.js

@@ -9,7 +9,6 @@ exports = module.exports = {
 
 const apps = require('./apps.js'),
     assert = require('assert'),
-    basicAuth = require('basic-auth'),
     blobs = require('./blobs.js'),
     branding = require('./branding.js'),
     constants = require('./constants.js'),
@@ -50,6 +49,23 @@ function jwtVerify(req, res, next) {
     });
 }
 
+function basicAuth(req) {
+    const CREDENTIALS_REGEXP = /^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9._~+/-]+=*) *$/;
+    const USER_PASS_REGEXP = /^([^:]*):(.*)$/;
+
+    const header = req.headers.authorization;
+    if (!header) return null;
+
+    const match = CREDENTIALS_REGEXP.exec(header);
+    if (!match) return null;
+
+    const decodedHeader = Buffer.from(match[1], 'base64').toString();
+    const userPass = USER_PASS_REGEXP.exec(decodedHeader);
+    if (!userPass) return null;
+
+    return { username: userPass[1], password: userPass[2] };
+}
+
 async function authorizationHeader(req, res, next) {
     const appId = req.headers['x-app-id'] || '';
     if (!appId) return next();
@@ -68,8 +84,8 @@ async function authorizationHeader(req, res, next) {
 
     if (!app.manifest.addons.proxyAuth.basicAuth) return next(); // this is a flag because this allows auth to bypass 2FA
 
-    const verifyFunc = credentials.name.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
-    const [verifyError, user] = await safe(verifyFunc(credentials.name, credentials.pass, appId, { skipTotpCheck: true }));
+    const verifyFunc = credentials.username.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
+    const [verifyError, user] = await safe(verifyFunc(credentials.username, credentials.password, appId, { skipTotpCheck: true }));
     if (verifyError) return next(new HttpError(403, 'Invalid username or password' ));
 
     req.user = user;