Add HTTP Basic Auth

All write endpoints and the manage routes are gated behind HTTP Basic Auth middleware; credentials are configured via [auth] in config.toml or APP__AUTH__USERNAME / APP__AUTH__PASSWORD environment variables.
2026-04-28 03:23:57 +02:00
parent c13f5b9a88
commit 08fd6cea70
7 changed files with 103 additions and 6 deletions
@@ -1,3 +1,4 @@
+mod auth;
 mod config;
 mod db;
 mod models;
@@ -7,6 +8,7 @@ mod storage;
 use std::sync::Arc;

 use axum::{
+    middleware,
    routing::{delete, get, post, put},
    Router,
 };
@@ -21,6 +23,7 @@ use crate::{config::AppConfig, db::Database, storage::S3Storage};
 pub struct AppState {
    pub db: Database,
    pub storage: S3Storage,
+    pub cfg: Arc<AppConfig>,
 }

 #[tokio::main]
@@ -50,18 +53,25 @@ async fn main() {
    // Build S3 storage client.
    let storage = S3Storage::new(&cfg);

-    let state = AppState { db, storage };
+    let state = AppState { db, storage, cfg: cfg.clone() };
+
+    let protected = Router::new()
+        .route("/manage", get(routes::manage::manage_root))
+        .route("/manage/emotes", get(routes::manage::list_admin_emotes))
+        .route("/emotes", post(routes::emotes::create_emote))
+        .route("/emotes/{uuid}", put(routes::emotes::update_emote))
+        .route("/emotes/{uuid}", delete(routes::emotes::delete_emote))
+        .layer(middleware::from_fn_with_state(
+            state.clone(),
+            auth::require_basic_auth,
+        ));

    let app = Router::new()
        .route("/", get(routes::emotes::root))
        .route("/health", get(routes::health::health))
        .route("/version", get(routes::version::version))
        .route("/json", get(routes::emotes::list_emotes))
-        .route("/emotes", post(routes::emotes::create_emote))
-        .route("/emotes/{uuid}", put(routes::emotes::update_emote))
-        .route("/emotes/{uuid}", delete(routes::emotes::delete_emote))
-        .route("/manage", get(routes::manage::manage_root))
-        .route("/manage/emotes", get(routes::manage::list_admin_emotes))
+        .merge(protected)
        .layer(TraceLayer::new_for_http())
        .with_state(state);