feat(auth): implement basic http auth with htpasswd file

- added htpasswd-based basic authentication support
- supports bcrypt, MD5, SHA, SHA-256, SHA-512, crypt, and plain hash types
- config via AUTH__HTPASSWD__FILE or AUTH__HTPASSWD__CONTENTS env vars
- added conformance testing with auth matrix (none, htpasswd)
- includes comprehensive auth spec tests
- prevents user enumeration attacks

Assisted-by: Tern (OpenClaw on GLM 4.7)

Author: dvjn

.github/workflows/conformance.yml

@@ -9,6 +9,10 @@ on:
 jobs:
   conformance:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        auth: [none, htpasswd]
+      fail-fast: false
 
     steps:
       - name: Checkout
@@ -31,6 +35,21 @@ jobs:
           cd distribution-spec/conformance
           go test -c
 
+      - name: Setup auth
+        run: |
+          case "${{ matrix.auth }}" in
+            none)
+              echo "running with no authentication"
+              ;;
+            htpasswd)
+              htpasswd -Bbc .htpasswd testuser testpass
+              echo "AUTH__MODE=htpasswd" >> $GITHUB_ENV
+              echo "AUTH__HTPASSWD__FILE=.htpasswd" >> $GITHUB_ENV
+              echo "OCI_USERNAME=testuser" >> $GITHUB_ENV
+              echo "OCI_PASSWORD=testpass" >> $GITHUB_ENV
+              ;;
+          esac
+
       - name: Start sorcerer server
         run: |
           ./sorcerer &
@@ -63,7 +82,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: conformance-results
+          name: conformance-results-${{ matrix.auth }}
           path: |
             distribution-spec/conformance/report.html
             distribution-spec/conformance/junit.xml

README.md

@@ -14,6 +14,7 @@ container images privately.
 - Simple configuration
 - Minimal dependencies
 - Lightweight design
+- HTPASSWD authentication support
 
 
 ## Usage
@@ -51,7 +52,9 @@ Sorcerer can be configured using the following environment variables:
 | -------------------- | ------- | ------------------------------------------------------------------------------- |
 | `PORT`               | `3000`  | Port to run the server on.                                                      |
 | `STORE__PATH`        | `data`  | Path to store registry data.                                                    |
-| `AUTH__MODE`         | `none`  | Authentication mode. Can only be set to `none` for now.                         |
+| `AUTH__MODE`         | `none`  | Authentication mode. Can be `none` or `htpasswd`.                               |
+| `AUTH__HTPASSWD__FILE` | -    | Path to htpasswd file (required when AUTH__MODE=htpasswd).                      |
+| `AUTH__HTPASSWD__CONTENTS` | -  | Inline htpasswd contents (alternative to file). One per line in `user:hash` format. |
 | `LOG__LEVEL`         | `info`  | Log level. Can be set to `debug`, `info`, `warn`, `error`, `fatal`, or `panic`. |
 
 

cmd/sorcerer/main.go

@@ -30,7 +30,7 @@ func main() {
 		log.Fatal().Errs("errors", errors).Msg("config validations failed")
 	}
 
-	auth, err := auth.New(&config.Auth)
+	auth, err := auth.New(&config.Auth, &log.Logger)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to initialize auth")
 	}

go.mod

@@ -9,9 +9,12 @@ require (
 	github.com/knadh/koanf/v2 v2.2.0
 	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20250220192232-583e014d1541
 	github.com/rs/zerolog v1.34.0
+	github.com/tg123/go-htpasswd v1.2.4
+	golang.org/x/crypto v0.37.0
 )
 
 require (
+	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/knadh/koanf/maps v0.1.2 // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
+github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -37,6 +39,12 @@ github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=
+github.com/tg123/go-htpasswd v1.2.4/go.mod h1:EKThQok9xHkun6NBMynNv6Jmu24A33XdZzzl4Q7H1+0=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/auth/auth.go

@@ -5,20 +5,24 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/dvjn/sorcerer/internal/auth/htpasswd"
 	"github.com/dvjn/sorcerer/internal/auth/no_auth"
 	"github.com/dvjn/sorcerer/internal/config"
 	"github.com/go-chi/chi/v5"
+	"github.com/rs/zerolog"
 )
 
 type Auth interface {
 	Router() *chi.Mux
 	DistributionMiddleware() func(http.Handler) http.Handler
 }
 
-func New(c *config.AuthConfig) (Auth, error) {
+func New(c *config.AuthConfig, logger *zerolog.Logger) (Auth, error) {
 	switch c.Mode {
 	case config.AuthModeNone:
 		return no_auth.New(&c.NoAuth), nil
+	case config.AuthModeHtpasswd:
+		return htpasswd.NewHtpasswdAuth(&c.Htpasswd, logger)
 	default:
 		return nil, fmt.Errorf("unknown auth mode: %s", c.Mode)
 	}

internal/auth/htpasswd/htpasswd.go

@@ -0,0 +1,85 @@
+package htpasswd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/dvjn/sorcerer/internal/config"
+	"github.com/go-chi/chi/v5"
+	"github.com/rs/zerolog"
+	htpasswdlib "github.com/tg123/go-htpasswd"
+)
+
+type HtpasswdAuth struct {
+	config *config.HtpasswdConfig
+	file   *htpasswdlib.File
+	logger *zerolog.Logger
+}
+
+func NewHtpasswdAuth(cfg *config.HtpasswdConfig, logger *zerolog.Logger) (*HtpasswdAuth, error) {
+	if logger == nil {
+		return nil, fmt.Errorf("logger is required")
+	}
+
+	auth := &HtpasswdAuth{
+		config: cfg,
+		logger: logger,
+	}
+
+	if err := auth.loadHtpasswdFile(); err != nil {
+		return nil, fmt.Errorf("failed to load htpasswd data: %w", err)
+	}
+
+	// Log successful initialization
+	auth.logger.Info().
+		Str("auth_type", "htpasswd").
+		Msg("htpasswd authentication initialized")
+
+	return auth, nil
+}
+
+func (a *HtpasswdAuth) Router() *chi.Mux {
+	r := chi.NewRouter()
+	return r
+}
+
+func (a *HtpasswdAuth) loadHtpasswdFile() error {
+	if a.config.Contents != "" {
+		a.logger.Info().
+			Str("source", "inline").
+			Msg("loading htpasswd from inline contents")
+		r := strings.NewReader(a.config.Contents)
+		file, err := htpasswdlib.NewFromReader(r, htpasswdlib.DefaultSystems, nil)
+		if err != nil {
+			return fmt.Errorf("failed to parse htpasswd content: %w", err)
+		}
+		a.file = file
+		return nil
+	}
+
+	if a.config.File != "" {
+		a.logger.Info().
+			Str("source", "file").
+			Str("file", a.config.File).
+			Msg("loading htpasswd from file")
+
+		// Load using the library
+		file, err := htpasswdlib.New(a.config.File, htpasswdlib.DefaultSystems, nil)
+		if err != nil {
+			return fmt.Errorf("failed to load htpasswd file %s: %w", a.config.File, err)
+		}
+
+		a.file = file
+		return nil
+	}
+
+	return fmt.Errorf("neither file nor contents provided for htpasswd auth")
+}
+
+// Match checks if username and password are valid
+func (a *HtpasswdAuth) Match(username, password string) bool {
+	if a.file == nil {
+		return false
+	}
+	return a.file.Match(username, password)
+}