configurable basic-auth preference;

adds options `--bauth-last` to lower the preference for taking the basic-auth password in case of conflict, and `--no-bauth` to entirely disable basic-authentication if a client is providing multiple passwords, for example when "logged in" with one password (the `cppwd` cookie) and switching to another account by also sending a PW header/url-param, then the default evaluation order to determine which password to use is: url-param `pw`, header `pw`, basic-auth header, cookie (cppwd/cppws) so if a client supplies a basic-auth header, it will ignore the cookie and use the basic-auth password instead, which usually makes sense but this can become a problem if you have other webservers running on the same domain which also support basic-authentication --bauth-last is a good choice for cooperating with such services, as --no-bauth currently breaks support for the android app...
2025-08-17 09:02:15 -06:00 · 2024-04-11 20:15:49 +00:00 · 2024-04-11 20:15:49 +00:00 · 7b94e4edf3
parent da26ec36ca
commit 7b94e4edf3
3 changed files with 13 additions and 1 deletions
--- a/copyparty/main.py
+++ b/copyparty/main.py
@ -949,6 +949,8 @@ def add_auth(ap):
    ap2.add_argument("--idp-h-grp", metavar="HN", type=u, default="", help="assume the request-header \033[33mHN\033[0m contains the groupname of the requesting user; can be referenced in config files for group-based access control")
    ap2.add_argument("--idp-h-key", metavar="HN", type=u, default="", help="optional but recommended safeguard; your reverse-proxy will insert a secret header named \033[33mHN\033[0m into all requests, and the other IdP headers will be ignored if this header is not present")
    ap2.add_argument("--idp-gsep", metavar="RE", type=u, default="|:;+,", help="if there are multiple groups in \033[33m--idp-h-grp\033[0m, they are separated by one of the characters in \033[33mRE\033[0m")
+    ap2.add_argument("--no-bauth", action="store_true", help="disable basic-authentication support; do not accept passwords from the 'Authenticate' header at all. NOTE: This breaks support for the android app")
+    ap2.add_argument("--bauth-last", action="store_true", help="keeps basic-authentication enabled, but only as a last-resort; if a cookie is also provided then the cookie wins")


 def add_zeroconf(ap):
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -443,7 +443,11 @@ class HttpCli(object):

        zso = self.headers.get("authorization")
        bauth = ""
-        if zso:
+        if (
+            zso
+            and not self.args.no_bauth
+            and (not cookie_pw or not self.args.bauth_last)
+        ):
            try:
                zb = zso.split(" ")[1].encode("ascii")
                zs = base64.b64decode(zb).decode("utf-8")
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@ -424,6 +424,12 @@ class SvcHub(object):
            t = "WARNING: found config files in [%s]: %s\n  config files are not expected here, and will NOT be loaded (unless your setup is intentionally hella funky)"
            self.log("root", t % (E.cfg, ", ".join(hits)), 3)

+        if self.args.no_bauth:
+            t = "WARNING: --no-bauth disables support for the Android app; you may want to use --bauth-last instead"
+            self.log("root", t, 3)
+            if self.args.bauth_last:
+                self.log("root", "WARNING: ignoring --bauth-last due to --no-bauth", 3)
+
    def _process_config(self) -> bool:
        al = self.args