revert http basic auth

it can't be fast and secure.
2018-02-07 18:15:47 -05:00 · 2018-02-07 18:15:47 -05:00 · 618186c384
parent 89f8b47070
commit 618186c384
3 changed files with 3 additions and 30 deletions
--- a/modules/security/src/main/Env.scala
+++ b/modules/security/src/main/Env.scala
@ -156,7 +156,7 @@ final class Env(
  scheduler.once(30 seconds)(tor.refresh(_ => funit))
  scheduler.effect(TorRefreshDelay, "Refresh Tor exit nodes")(tor.refresh(firewall.unblockIps))

-  lazy val api = new SecurityApi(storeColl, firewall, geoIP, authenticator, emailAddressValidator, asyncCache)
+  lazy val api = new SecurityApi(storeColl, firewall, geoIP, authenticator, emailAddressValidator)

  lazy val csrfRequestHandler = new CSRFRequestHandler(NetDomain)

--- a/modules/security/src/main/SecurityApi.scala
+++ b/modules/security/src/main/SecurityApi.scala
@ -19,8 +19,7 @@ final class SecurityApi(
    firewall: Firewall,
    geoIP: GeoIP,
    authenticator: lila.user.Authenticator,
-    emailValidator: EmailAddressValidator,
-    asyncCache: lila.memo.AsyncCache.Builder
+    emailValidator: EmailAddressValidator
 ) {

  val AccessUri = "access_uri"
@ -77,7 +76,7 @@ final class SecurityApi(
            }
          }
        }
-      } // orElse BasicAuth(req).map2 { (u: User) => FingerprintedUser(u, false) }
+      }
    }

  def locatedOpenSessions(userId: User.ID, nb: Int): Fu[List[LocatedSession]] =
@ -95,29 +94,6 @@ final class SecurityApi(

  def reqSessionId(req: RequestHeader) = req.session get "sessionId"

-  private object BasicAuth {
-
-    private type Username = String
-
-    private val cache = asyncCache.multi[(Username, User.ClearPassword), Boolean](
-      name = "security.basic_auth",
-      f = {
-        case (username, password) => authenticator.authenticateByUsername(username, password).map(_.isDefined)
-      },
-      expireAfter = _.ExpireAfterWrite(2 minutes)
-    )
-
-    def apply(req: RequestHeader): Fu[Option[User]] = {
-      req.headers get "Authorization" flatMap lila.common.String.base64.decode map (_.split(":", 2))
-    } ?? {
-      case Array(username, password) =>
-        cache.get(username -> User.ClearPassword(password)) flatMap {
-          _ ?? UserRepo.named(username)
-        }
-      case _ => fuccess(none)
-    }
-  }
-
  def userIdsSharingIp = userIdsSharingField("ip") _

  def recentByIpExists(ip: IpAddress): Fu[Boolean] = Store recentByIpExists ip
--- a/modules/user/src/main/Authenticator.scala
+++ b/modules/user/src/main/Authenticator.scala
@ -26,9 +26,6 @@ final class Authenticator(
  def authenticateById(id: User.ID, password: ClearPassword): Fu[Option[User]] =
    loginCandidateById(id) map { _ flatMap { _(password) } }

-  def authenticateByUsername(username: String, password: ClearPassword): Fu[Option[User]] =
-    authenticateById(User normalize username, password)
-
  def authenticateByEmail(email: EmailAddress, password: ClearPassword): Fu[Option[User]] =
    loginCandidateByEmail(email) map { _ flatMap { _(password) } }