{"id":13723903,"url":"https://github.com/antifuchs/htpasswd-login","last_synced_at":"2025-05-07T17:32:05.565Z","repository":{"id":39902575,"uuid":"83247130","full_name":"antifuchs/htpasswd-login","owner":"antifuchs","description":"A RESTful authentication service combining .htpasswd and nginx's auth_request","archived":true,"fork":false,"pushed_at":"2023-08-20T17:52:36.000Z","size":3056,"stargazers_count":10,"open_issues_count":6,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-04T01:23:05.023Z","etag":null,"topics":["authentication","http","nginx"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/antifuchs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-26T23:03:34.000Z","updated_at":"2023-08-23T12:58:32.000Z","dependencies_parsed_at":"2024-06-19T09:52:59.094Z","dependency_job_id":"8b0218e4-5f34-4a34-8029-71e8abcc5ddd","html_url":"https://github.com/antifuchs/htpasswd-login","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antifuchs%2Fhtpasswd-login","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antifuchs%2Fhtpasswd-login/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antifuchs%2Fhtpasswd-login/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antifuchs%2Fhtpasswd-login/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/antifuchs","download_url":"https://codeload.github.com/antifuchs/htpasswd-login/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224628204,"owners_count":17343289,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","http","nginx"],"created_at":"2024-08-03T01:01:46.965Z","updated_at":"2024-11-14T13:31:16.775Z","avatar_url":"https://github.com/antifuchs.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# A minimal nginx `auth_request` authentication service, based on cookies and htpasswd.\n[![Build Status](https://travis-ci.org/antifuchs/htpasswd-login.svg?branch=master)](https://travis-ci.org/antifuchs/htpasswd-login)\n\nThis little go tool can be used as an authentication service for\nnginx's\n[`ngx_http_auth_request_module`](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html),\nverifying that session cookies are valid and allowing users to log in\nand have their data validated against\na\n[`.htpasswd`](https://httpd.apache.org/docs/current/programs/htpasswd.html) file.\n\nThis means that if you run nginx and you have few users (and\nfew-enough sessions), you can run this service next to an actual\nservice you're running and have `htpasswd-login` run a RESTful service\nfor authentication and even serve up a customizable authentication\nform.\n\n## Status: [![No Maintenance Intended](http://unmaintained.tech/badge.svg)](http://unmaintained.tech/)\n\nI'm no longer using this tool, and haven't done work on it in a while. Since this is a security-relevant project, I believe you should be properly informed about the status of this project, which is: unmaintained, archived.\n\nFeel free to fork this and maintain it if you do use it - I'm happy to unarchive the repo to point at your fork in the readme.\n\n## Installation / running this\n\n`htpasswd-login` requires a go modules to build, so a recent go\ncheckout is recommended - in CI, this tool builds with go 1.14.x.\n\nYou can `go get -u github.com/antifuchs/htpasswd-login` and you should\nend up with a `htpasswd-login` binary in your `$GOBIN` directory.\n\nOnce installed, you can try out this service on the commandline like this (assuming `/tmp/sessions` exists):\n\n`htpasswd-login --sessions /tmp/sessions --htpasswd example/htpasswd --secure=false --loginform=example/page`\n\nSee [example/README.md](example/README.md) for details.\n\nOnce the login form looks like you think it should, deploy this to be\nvisible to the big, bad internet. The following sections are (in order\nof importance) what you will definitely need to do:\n\n### Use HTTPS\n\nIn deployment (if you're running on HTTPS, which [you\nshould](https://letsencrypt.org)), *please* run this with\n`--secure=true` so that no cookies leak over insecure channels.\n\n### Configure a CSRF secret\n\n`htpasswd-login` uses [CSRF\nprotection](https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/)\nto hopefully prevent some easy avenues for phishing from authenticated\nsites. You should generate a CSRF secret and re-use this (otherwise\nlogin forms served to clients will no longer be submittable if you\nrestart the server).\n\nTo generate a secret once, use\n`dd if=/dev/urandom bs=32 count=1 | openssl base64 \u003e csrf-secret.b64`\n\nThen, to use that secret, pass the `--csrf=\"$(cat csrf-secret.b64)\"`\nflag to htpasswd-login.\n\n### Set up a cron job to clean out old sessions\n\nOnce this is working for you, make sure to run the tool with the same\narguments as you run the frontend with, and add `-cleanup` in a cron\njob once an hour or so, in order to clean out old sessions.\n\n## Configuring nginx\n\nSee the file [auth_request.inc.conf](example/auth_request.inc.conf)\nin examples for an example config. Note that in addition to including\nthis file in your `server` blocks, you'll also have to have an\n`auth_request /auth` stanza in every `location` block you wish to\nprotect.\n\n## Limits \u0026 Operation\n\nThis tool is meant for personal use, and specifically constrains\nitself to some design choices that you shouldn't make when running\nthis on a larger scale. Here are the assumptions I've made:\n\n* You don't have very many users. Credential lookup is O(n), which\n  means that more users will make logins slow.\n\n* Each user doesn't have very many sessions. We store sessions in a\n  directory, which means that as the total number of sessions grows\n  into the many thousands, looking up those sessions will get slower\n  (and may slow down your overall system).\n\n* You should run `-cleanup` regularly, to remove old sessions.\n\n\n## Why?\n\nYou obviously have questions. I have reasons for building this. (And I\nwould have loved not to have to build this!) Here goes:\n\n### Why not just use HTTP Basic authentication?\n\nThat's a good\nquestion:\n[HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) is\nquite simple, and if you can use it, you probably should!\n\nHowever, Basic auth has some drawbacks:\n\n* Most browsers present a UI that isn't suitable for password managers\n\n* Some backend programs are not completely able to deal with living\n  behind Basic auth: Some generate URLs that just don't work.\n\nI think this tool combines the nicest advantages of HTTP Basic\nauthentication (namely, that you can use `.htpasswd` files, which are\nvery well understood and easy to manipulate), with a nice and\naccessible way for your users to log in.\n\nAs an accomodation for native apps that act as API clients, requests\nbearing an HTTP Basic `Authorization` header matching the credentials\nin the `.htpasswd` file count as authenticated. So you *can* use Basic\nauthentication, however your users won't receive a login prompt.\n\n### Why not build authentication into a the thing you're running behind the scenes?\n\nThat mostly has to do with the amount of trust I'm willing to place in\nthe backend program: If that has a preauth bug, there's a\nproblem. (That said, if this program has a preauth bug, I would love\nto [hear about it!](./CONTRIBUTING.md))\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantifuchs%2Fhtpasswd-login","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fantifuchs%2Fhtpasswd-login","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantifuchs%2Fhtpasswd-login/lists"}