From 85de40d950d7384cbd47c25dc58822b3febe8fc6 Mon Sep 17 00:00:00 2001
From: Alicia Sykes <alicia@omg.lol>
Date: Sun, 28 Apr 2024 15:08:05 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=82=20Adds=20option=20for=20env=20vars?=
 =?UTF-8?q?=20for=20passwords?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server.js | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/server.js b/server.js
index cc45bd6e..d7f5567f 100644
--- a/server.js
+++ b/server.js
@@ -6,13 +6,15 @@
  * */
 
 /* Import built-in Node server modules */
+const fs = require('fs');
+const os = require('os');
+const dns = require('dns');
 const http = require('http');
 const path = require('path');
 const util = require('util');
-const dns = require('dns');
-const os = require('os');
-const fs = require('fs');
 const crypto = require('crypto');
+
+/* Import NPM dependencies */
 const yaml = require('js-yaml');
 
 /* Import Express + middleware functions */
@@ -65,7 +67,7 @@ const printWelcomeMessage = () => {
       console.log(printMessage(ip, port, isDocker)); // eslint-disable-line no-console
     });
   } catch (e) {
-    // Fetching info for welcome message failed, print simple msg instead
+    // No clue what could of gone wrong here, but print fallback message if above failed
     console.log(`Dashy server has started (${port})`); // eslint-disable-line no-console
   }
 };
@@ -75,6 +77,7 @@ const printWarning = (msg, error) => {
   console.warn(`\x1b[103m\x1b[34m${msg}\x1b[0m\n`, error || ''); // eslint-disable-line no-console
 };
 
+/* Load appConfig.auth.users from config (if present) for authorization purposes */
 function loadUserConfig() {
   try {
     const filePath = path.join(__dirname, process.env.USER_DATA_DIR || 'user-data', 'conf.yml');
@@ -86,13 +89,20 @@ function loadUserConfig() {
   }
 }
 
+/* If HTTP auth is enabled, and no username/password are pre-set, then check passed credentials */
 function customAuthorizer(username, password) {
   const sha256 = (input) => crypto.createHash('sha256').update(input).digest('hex').toUpperCase();
+  const generateUserToken = (user) => {
+    if (!user.user || (!user.hash && !user.password)) return '';
+    const strAndUpper = (input) => input.toString().toUpperCase();
+    const passwordHash = user.hash || sha256(process.env[user.password]);
+    const sha = sha256(strAndUpper(user.user) + strAndUpper(passwordHash));
+    return strAndUpper(sha);
+  };
   if (password.startsWith('Bearer ')) {
     const token = password.slice('Bearer '.length);
-    const tokenHash = sha256(token);
     const users = loadUserConfig();
-    return users.some(user => user.hash.toUpperCase() === tokenHash);
+    return users.some(user => generateUserToken(user) === token);
   } else {
     const users = loadUserConfig();
     const userHash = sha256(password);