Merge pull request #1593 from alphagov/add-basic-auth-option

currycoder · web-flow · commit 1cb92daf6e4c · 2026-03-27T09:16:56.000Z
Add basic auth
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,6 +1,6 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception, prepend: true
-  before_action :restrict_request_format
+  before_action :authenticate, :restrict_request_format
   rescue_from SolrDataset::NotFound, with: :render_not_found
   rescue_from SolrDatafile::NotFound, with: :render_not_found
   before_action :set_collections
@@ -132,4 +132,25 @@ def set_data_manual_menu_items
       },
     ]
   end
+
+  def authenticate
+    # /healthz endpoint override unnecessary as rails health endpoint does not inherit from this controller
+    if ENV["BASIC_AUTH_BYPASS"].present?
+      header_key, header_value = ENV["BASIC_AUTH_BYPASS"].split(":").map(&:strip)
+
+      if request.headers.key?(header_key) && (request.headers[header_key] == header_value)
+        return true
+      end
+    end
+
+    if ENV["BASIC_AUTH_USERNAME"].present? && ENV["BASIC_AUTH_PASSWORD"].present?
+      authenticate_or_request_with_http_basic do |username, password|
+        ActiveSupport::SecurityUtils.secure_compare(username, ENV["BASIC_AUTH_USERNAME"]) &
+          ActiveSupport::SecurityUtils.secure_compare(password, ENV["BASIC_AUTH_PASSWORD"])
+      end
+    else
+      logger.warn "BASIC_AUTH_USERNAME and BASIC_AUTH_PASSWORD environment variables are not set. Basic authentication is disabled."
+      true
+    end
+  end
 end
diff --git a/docker/dev.Dockerfile b/docker/dev.Dockerfile
@@ -5,6 +5,8 @@ USER root
 COPY ./spec ./spec
 ENV BUNDLE_WITHOUT=""
 ENV RAILS_ENV=development
+ENV BASIC_AUTH_USERNAME=admin
+ENV BASIC_AUTH_PASSWORD=password
 ENV GOVUK_TEST_CHROME_NO_SANDBOX=1
 RUN apt-get update && apt-get install -y \
     g++ git gpg libc-dev libcurl4-openssl-dev libgdbm-dev libssl-dev \
diff --git a/spec/features/v2/basic_auth_spec.rb b/spec/features/v2/basic_auth_spec.rb
@@ -0,0 +1,37 @@
+require "rails_helper"
+
+RSpec.feature "basic auth", type: :feature do
+  before do
+    stub_const("ENV", ENV.to_hash.merge("BASIC_AUTH_USERNAME" => "test-username"))
+    stub_const("ENV", ENV.to_hash.merge("BASIC_AUTH_PASSWORD" => "test-password"))
+    stub_const("ENV", ENV.to_hash.merge("BASIC_AUTH_BYPASS" => "some-header: some-value"))
+  end
+
+  scenario "I visit the homepage without setting authentication" do
+    visit "/"
+    expect(page).to have_http_status(:unauthorized)
+  end
+
+  scenario "I visit the homepage with good authentication" do
+    page.driver.browser.authorize("test-username", "test-password")
+    visit "/"
+    expect(page).to have_http_status(:ok)
+  end
+
+  scenario "I visit the homepage with basic auth bypass header" do
+    page.driver.header "some-header", "some-value"
+    visit "/"
+    expect(page).to have_http_status(:ok)
+  end
+
+  scenario "I visit the homepage with incorrect basic auth bypass header" do
+    page.driver.header "some-header", "some-incorrect-value"
+    visit "/"
+    expect(page).to have_http_status(:unauthorized)
+  end
+
+  scenario "I visit the healthcheck page without setting authentication" do
+    visit "/healthz"
+    expect(page).to have_http_status(:ok)
+  end
+end
