Add optional basic auth guardrails for proxy and web library

joonsoome · joonsoome · commit c920ed591572 · 2025-12-09T09:47:58.000Z
diff --git a/.env.dev.example b/.env.dev.example
@@ -17,6 +17,14 @@ DEV_WEB_LIBRARY_PORT=8281
 # Set to a host reachable by your browser (not localhost if accessed via NAS).
 DEV_PDF_PROXY_BASE_URL=http://192.168.0.50:8280/pdf
 
+# Optional HTTP basic auth (useful when reverse proxy auth is bypassed)
+DEV_PDF_PROXY_BASIC_AUTH_USER=
+DEV_PDF_PROXY_BASIC_AUTH_PASSWORD=
+DEV_PDF_PROXY_BASIC_AUTH_REALM=Zotero PDF Proxy
+DEV_WEB_LIBRARY_BASIC_AUTH_USER=
+DEV_WEB_LIBRARY_BASIC_AUTH_PASSWORD=
+DEV_WEB_LIBRARY_BASIC_AUTH_REALM=Zotero WebUI
+
 # On-prem upload gating (set false to block WebUI uploads to Zotero Storage; sync via Desktop/WebDAV instead)
 WEB_LIBRARY_ALLOW_UPLOADS=false
 
diff --git a/.env.portainer.example b/.env.portainer.example
@@ -14,6 +14,14 @@ WEB_LIBRARY_PORT=8281
 # Base URL that the Web Library should use when linking to the PDF proxy (update to your staging hostname/IP)
 PDF_PROXY_BASE_URL=http://192.168.0.50:8280/pdf
 
+# Optional HTTP basic auth (extra guard if Cloudflare/NPM is bypassed)
+PDF_PROXY_BASIC_AUTH_USER=
+PDF_PROXY_BASIC_AUTH_PASSWORD=
+PDF_PROXY_BASIC_AUTH_REALM=Zotero PDF Proxy
+WEB_LIBRARY_BASIC_AUTH_USER=
+WEB_LIBRARY_BASIC_AUTH_PASSWORD=
+WEB_LIBRARY_BASIC_AUTH_REALM=Zotero WebUI
+
 # Metadata source (runtime templating for the Web Library)
 # If you host metadata on zotero.org (default):
 #   ZOTERO_API_KEY: your Zotero API key
diff --git a/.env.stage.example b/.env.stage.example
@@ -14,6 +14,14 @@ WEB_LIBRARY_PORT=8281
 # Base URL that the Web Library should use when linking to the PDF proxy (update to your staging hostname/IP)
 PDF_PROXY_BASE_URL=http://192.168.0.50:8280/pdf
 
+# Optional HTTP basic auth (extra guard if Cloudflare/NPM is bypassed)
+PDF_PROXY_BASIC_AUTH_USER=
+PDF_PROXY_BASIC_AUTH_PASSWORD=
+PDF_PROXY_BASIC_AUTH_REALM=Zotero PDF Proxy
+WEB_LIBRARY_BASIC_AUTH_USER=
+WEB_LIBRARY_BASIC_AUTH_PASSWORD=
+WEB_LIBRARY_BASIC_AUTH_REALM=Zotero WebUI
+
 # Metadata source (runtime templating for the Web Library)
 # If you host metadata on zotero.org (default):
 #   ZOTERO_API_KEY: your Zotero API key
diff --git a/Dockerfile.web-library b/Dockerfile.web-library
@@ -32,10 +32,10 @@ RUN npm ci \
 FROM nginx:1.27-alpine AS runtime
 
 # For envsubst and clean startup
-RUN apk add --no-cache gettext
+RUN apk add --no-cache apache2-utils gettext
 
 COPY --from=builder /app/web-library-build/build/ /usr/share/nginx/html/
-COPY app/web-library-overlay/config/nginx.conf /etc/nginx/conf.d/default.conf
+COPY app/web-library-overlay/config/nginx.conf.template /etc/nginx/conf.d/default.conf.template
 COPY app/web-library-overlay/scripts/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
diff --git a/app/main.py b/app/main.py
@@ -1,12 +1,14 @@
 import logging
 import os
 import re
+import secrets
 import zipfile
 from pathlib import Path
 from typing import Iterable, Optional
 
-from fastapi import FastAPI, HTTPException
+from fastapi import Depends, FastAPI, HTTPException
 from fastapi.responses import StreamingResponse
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
 
 
 logging.basicConfig(level=logging.INFO)
@@ -22,6 +24,11 @@ def get_zotero_root() -> Path:
 
 
 app = FastAPI(title="Zotero WebDAV PDF Proxy")
+basic_auth_scheme = HTTPBasic(auto_error=False)
+
+BASIC_AUTH_USER = os.getenv("PDF_PROXY_BASIC_AUTH_USER")
+BASIC_AUTH_PASSWORD = os.getenv("PDF_PROXY_BASIC_AUTH_PASSWORD")
+BASIC_AUTH_REALM = os.getenv("PDF_PROXY_BASIC_AUTH_REALM", "Zotero PDF Proxy")
 
 
 def validate_key(key: str) -> None:
@@ -103,12 +110,35 @@ def iterator() -> Iterable[bytes]:
     return StreamingResponse(iterator(), media_type="application/pdf", headers=headers)
 
 
-@app.get("/health")
+def enforce_basic_auth(
+    credentials: Optional[HTTPBasicCredentials] = Depends(basic_auth_scheme),
+) -> None:
+    auth_configured = BASIC_AUTH_USER and BASIC_AUTH_PASSWORD
+    if not auth_configured:
+        return
+
+    unauthorized = HTTPException(
+        status_code=401,
+        detail="Unauthorized",
+        headers={"WWW-Authenticate": f'Basic realm="{BASIC_AUTH_REALM}"'},
+    )
+
+    if credentials is None:
+        raise unauthorized
+
+    username_valid = secrets.compare_digest(credentials.username, BASIC_AUTH_USER)
+    password_valid = secrets.compare_digest(credentials.password, BASIC_AUTH_PASSWORD)
+
+    if not username_valid or not password_valid:
+        raise unauthorized
+
+
+@app.get("/health", dependencies=[Depends(enforce_basic_auth)])
 def health() -> dict:
     return {"status": "ok"}
 
 
-@app.get("/pdf/{key}")
+@app.get("/pdf/{key}", dependencies=[Depends(enforce_basic_auth)])
 def get_pdf(key: str):
     validate_key(key)
 
@@ -128,4 +158,3 @@ def get_pdf(key: str):
     except Exception as error:
         logger.exception("Unexpected error while processing key=%s", key)
         raise HTTPException(status_code=500, detail="Internal server error") from error
-
diff --git a/app/web-library-overlay/config/nginx.conf.template b/app/web-library-overlay/config/nginx.conf.template
@@ -5,6 +5,8 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    ${AUTH_SNIPPET}
+
     location / {
         try_files $uri $uri/ /index.html;
     }
diff --git a/app/web-library-overlay/scripts/entrypoint.sh b/app/web-library-overlay/scripts/entrypoint.sh
@@ -11,6 +11,7 @@ set -e
 : "${ZOTERO_LIBRARIES_INCLUDE_JSON:=[]}"
 : "${WEB_LIBRARY_ALLOW_UPLOADS:=false}"
 : "${PDF_PROXY_BASE_URL:=http://localhost:8280/pdf}"
+: "${WEB_LIBRARY_BASIC_AUTH_REALM:=Zotero WebUI}"
 
 # Render index.html with current env vars (placeholders remain if empty)
 if [ -f /usr/share/nginx/html/index.html ]; then
@@ -21,4 +22,18 @@ if [ -f /usr/share/nginx/html/index.html ]; then
   mv /usr/share/nginx/html/index.html.rendered /usr/share/nginx/html/index.html
 fi
 
+AUTH_SNIPPET=""
+
+if [ -n "${WEB_LIBRARY_BASIC_AUTH_USER:-}" ] && [ -n "${WEB_LIBRARY_BASIC_AUTH_PASSWORD:-}" ]; then
+  HTPASSWD_PATH="/etc/nginx/.htpasswd"
+  htpasswd -bBc "$HTPASSWD_PATH" "$WEB_LIBRARY_BASIC_AUTH_USER" "$WEB_LIBRARY_BASIC_AUTH_PASSWORD"
+  AUTH_SNIPPET=$(printf "    auth_basic \"%s\";\n    auth_basic_user_file %s;" "$WEB_LIBRARY_BASIC_AUTH_REALM" "$HTPASSWD_PATH")
+fi
+
+if [ -f /etc/nginx/conf.d/default.conf.template ]; then
+  AUTH_SNIPPET="$AUTH_SNIPPET" envsubst '$AUTH_SNIPPET' \
+    < /etc/nginx/conf.d/default.conf.template \
+    > /etc/nginx/conf.d/default.conf
+fi
+
 exec "$@"
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -8,6 +8,9 @@ services:
       dockerfile: Dockerfile.pdf-proxy
     environment:
       - ZOTERO_ROOT=/data/zotero
+      - PDF_PROXY_BASIC_AUTH_USER=${DEV_PDF_PROXY_BASIC_AUTH_USER:-}
+      - PDF_PROXY_BASIC_AUTH_PASSWORD=${DEV_PDF_PROXY_BASIC_AUTH_PASSWORD:-}
+      - PDF_PROXY_BASIC_AUTH_REALM=${DEV_PDF_PROXY_BASIC_AUTH_REALM:-Zotero PDF Proxy}
     volumes:
       - ${DEV_ZOTERO_SAMPLE_ROOT:-./sample-webdav/zotero}:/data/zotero
       - ./app:/app
@@ -29,6 +32,9 @@ services:
       - ZOTERO_INCLUDE_USER_GROUPS=${ZOTERO_INCLUDE_USER_GROUPS:-true}
       - ZOTERO_LIBRARIES_INCLUDE_JSON=${ZOTERO_LIBRARIES_INCLUDE_JSON:-[]}
       - WEB_LIBRARY_ALLOW_UPLOADS=${WEB_LIBRARY_ALLOW_UPLOADS:-false}
+      - WEB_LIBRARY_BASIC_AUTH_USER=${DEV_WEB_LIBRARY_BASIC_AUTH_USER:-}
+      - WEB_LIBRARY_BASIC_AUTH_PASSWORD=${DEV_WEB_LIBRARY_BASIC_AUTH_PASSWORD:-}
+      - WEB_LIBRARY_BASIC_AUTH_REALM=${DEV_WEB_LIBRARY_BASIC_AUTH_REALM:-Zotero WebUI}
     ports:
       - "${DEV_WEB_LIBRARY_PORT:-8281}:80"
     depends_on:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,6 +5,9 @@ services:
     image: ${PDF_PROXY_IMAGE:-ghcr.io/joonsoome/on-prem-zotero-webui/pdf-proxy:main}
     environment:
       - ZOTERO_ROOT=/data/zotero
+      - PDF_PROXY_BASIC_AUTH_USER=${PDF_PROXY_BASIC_AUTH_USER:-}
+      - PDF_PROXY_BASIC_AUTH_PASSWORD=${PDF_PROXY_BASIC_AUTH_PASSWORD:-}
+      - PDF_PROXY_BASIC_AUTH_REALM=${PDF_PROXY_BASIC_AUTH_REALM:-Zotero PDF Proxy}
     volumes:
       - ${ZOTERO_ROOT_HOST_PATH:-/volume1/Reference/zotero}:/data/zotero
     ports:
@@ -23,6 +26,9 @@ services:
       - ZOTERO_INCLUDE_USER_GROUPS=${ZOTERO_INCLUDE_USER_GROUPS:-true}
       - ZOTERO_LIBRARIES_INCLUDE_JSON=${ZOTERO_LIBRARIES_INCLUDE_JSON:-[]}
       - WEB_LIBRARY_ALLOW_UPLOADS=${WEB_LIBRARY_ALLOW_UPLOADS:-false}
+      - WEB_LIBRARY_BASIC_AUTH_USER=${WEB_LIBRARY_BASIC_AUTH_USER:-}
+      - WEB_LIBRARY_BASIC_AUTH_PASSWORD=${WEB_LIBRARY_BASIC_AUTH_PASSWORD:-}
+      - WEB_LIBRARY_BASIC_AUTH_REALM=${WEB_LIBRARY_BASIC_AUTH_REALM:-Zotero WebUI}
     ports:
       - "${WEB_LIBRARY_PORT:-8281}:80"
     depends_on:
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,3 +1,3 @@
 -r app/requirements.txt
 pytest
-
+httpx
diff --git a/scripts/npm-basic-auth-fix.sh b/scripts/npm-basic-auth-fix.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# Copyright (c) 2025 joonsoo-me
+# SPDX-License-Identifier: AGPL-3.0-only
+
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/npm-basic-auth-fix.sh <url> [user] [password]
+
+Checks whether a proxied URL properly challenges with HTTP basic auth.
+- url: Full URL to the WebUI or PDF proxy (e.g., https://pdf.example.com/).
+- user/password: Basic auth credentials. If omitted, use BASIC_AUTH_USER/BASIC_AUTH_PASSWORD env vars.
+- Set CURL_OPTS (e.g., "-k" for self-signed) to tweak curl behavior.
+EOF
+}
+
+TARGET_URL="${1:-}"
+AUTH_USER="${2:-${BASIC_AUTH_USER:-}}"
+AUTH_PASSWORD="${3:-${BASIC_AUTH_PASSWORD:-}}"
+read -r -a CURL_OPTS_ARRAY <<<"${CURL_OPTS:-}"
+
+if [[ -z "$TARGET_URL" ]]; then
+  usage
+  exit 1
+fi
+
+if [[ -z "$AUTH_USER" || -z "$AUTH_PASSWORD" ]]; then
+  echo "error: provide basic-auth credentials as args or BASIC_AUTH_USER/BASIC_AUTH_PASSWORD env vars." >&2
+  exit 1
+fi
+
+status_without_auth=$(curl -s -o /dev/null -w "%{http_code}" "${CURL_OPTS_ARRAY[@]}" "$TARGET_URL")
+status_with_auth=$(curl -s -o /dev/null -w "%{http_code}" "${CURL_OPTS_ARRAY[@]}" -u "$AUTH_USER:$AUTH_PASSWORD" "$TARGET_URL")
+
+echo "Target         : $TARGET_URL"
+echo "Without auth   : HTTP $status_without_auth"
+echo "With auth      : HTTP $status_with_auth"
+
+if [[ "$status_without_auth" != "401" && "$status_without_auth" != "403" ]]; then
+  cat >&2 <<'EOF'
+warning: endpoint is reachable without basic auth.
+ - Confirm your Cloudflare tunnel points at the NPM instance (not the NAS container).
+ - Ensure an NPM Access List is attached to the host.
+ - Consider enabling in-container auth via PDF_PROXY_BASIC_AUTH_*/WEB_LIBRARY_BASIC_AUTH_* env vars.
+EOF
+fi
+
+case "$status_with_auth" in
+  2*|3*)
+    echo "Auth success   : credentials accepted (expected 2xx/3xx)."
+    ;;
+  *)
+    echo "warning: authenticated request did not succeed (HTTP $status_with_auth)." >&2
+    ;;
+esac
diff --git a/tests/test_basic_auth.py b/tests/test_basic_auth.py
@@ -0,0 +1,54 @@
+"""
+Copyright (c) 2025 joonsoo-me
+SPDX-License-Identifier: AGPL-3.0-only
+"""
+
+import importlib
+
+import app.main as main
+from fastapi.testclient import TestClient
+
+
+def reload_main(monkeypatch, user=None, password=None, realm="Zotero PDF Proxy"):
+    monkeypatch.delenv("PDF_PROXY_BASIC_AUTH_USER", raising=False)
+    monkeypatch.delenv("PDF_PROXY_BASIC_AUTH_PASSWORD", raising=False)
+    monkeypatch.delenv("PDF_PROXY_BASIC_AUTH_REALM", raising=False)
+
+    if user is not None:
+        monkeypatch.setenv("PDF_PROXY_BASIC_AUTH_USER", user)
+    if password is not None:
+        monkeypatch.setenv("PDF_PROXY_BASIC_AUTH_PASSWORD", password)
+    if realm is not None:
+        monkeypatch.setenv("PDF_PROXY_BASIC_AUTH_REALM", realm)
+
+    return importlib.reload(main)
+
+
+def test_basic_auth_disabled_by_default(monkeypatch):
+    module = reload_main(monkeypatch, user=None, password=None)
+    client = TestClient(module.app)
+
+    response = client.get("/health")
+    assert response.status_code == 200
+
+
+def test_basic_auth_requires_credentials(monkeypatch):
+    module = reload_main(monkeypatch, user="alice", password="wonderland")
+    client = TestClient(module.app)
+
+    response = client.get("/health")
+    assert response.status_code == 401
+    assert 'Basic realm="Zotero PDF Proxy"' in response.headers.get(
+        "WWW-Authenticate", ""
+    )
+
+    authed = client.get("/health", auth=("alice", "wonderland"))
+    assert authed.status_code == 200
+
+
+def test_basic_auth_rejects_invalid_credentials(monkeypatch):
+    module = reload_main(monkeypatch, user="alice", password="wonderland")
+    client = TestClient(module.app)
+
+    response = client.get("/health", auth=("alice", "wrongpass"))
+    assert response.status_code == 401

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@ server {`
`5`	`5`	`root /usr/share/nginx/html;`
`6`	`6`	`index index.html;`
`7`	`7`
	`8`	`+ ${AUTH_SNIPPET}`
	`9`	`+`
`8`	`10`	`location / {`
`9`	`11`	`try_files $uri $uri/ /index.html;`
`10`	`12`	`}`
-Original file line number
+Diff line change
@@ @@ -1,3 +1,3 @@ @@
 -r app/requirements.txt
 pytest
+-
 +httpx