From 730e5f5351ac48e1ca79da44f9720757e49a804e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Sala=C3=BCn?= <salaun.clement@gmail.com>
Date: Mon, 7 Feb 2022 16:11:36 +0100
Subject: [PATCH] Fix HTTP Basic (#152)

Co-authored-by: Geoffrey Ragot <geoffrey.ragot@gmail.com>
---
 pkg/api/middlewares/auth_middleware.go | 15 +++++++++++----
 pkg/api/routes/routes.go               |  1 +
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/pkg/api/middlewares/auth_middleware.go b/pkg/api/middlewares/auth_middleware.go
index d50696872..21550ecf0 100644
--- a/pkg/api/middlewares/auth_middleware.go
+++ b/pkg/api/middlewares/auth_middleware.go
@@ -1,6 +1,7 @@
 package middlewares
 
 import (
+	"net/http"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -19,13 +20,19 @@ func NewAuthMiddleware(httpBasic string) AuthMiddleware {
 }
 
 // AuthMiddleware
-func (m AuthMiddleware) AuthMiddleware(engine *gin.Engine) gin.HandlerFunc {
+func (m AuthMiddleware) AuthMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if auth := m.HTTPBasic; auth != "" {
 			segment := strings.Split(auth, ":")
-			engine.Use(gin.BasicAuth(gin.Accounts{
-				segment[0]: segment[1],
-			}))
+			username, password, ok := c.Request.BasicAuth()
+			if !ok {
+				c.AbortWithStatus(http.StatusForbidden)
+				return
+			}
+			if segment[0] != username || segment[1] != password {
+				c.AbortWithStatus(http.StatusForbidden)
+				return
+			}
 		}
 	}
 }
diff --git a/pkg/api/routes/routes.go b/pkg/api/routes/routes.go
index fde6c6bdb..f33be9db5 100644
--- a/pkg/api/routes/routes.go
+++ b/pkg/api/routes/routes.go
@@ -101,6 +101,7 @@ func (r *Routes) Engine(cc cors.Config) *gin.Engine {
 				"user_agent": c.Request.UserAgent(),
 			}).Info(c.Request.Context(), "Request")
 		},
+		r.authMiddleware.AuthMiddleware(),
 	}, r.globalMiddlewares...)
 
 	// Default Middlewares