alinea/dist/backend/api/BasicAuth.js

Headless git-based CMS

import "../../chunks/chunk-NZLE2WMY.js";

// src/backend/api/BasicAuth.ts
import { AuthResultType } from "alinea/cloud/AuthResult";
import { atob } from "alinea/core/util/Encoding";
import {
  AuthAction,
  InvalidCredentialsError,
  MissingCredentialsError
} from "../Auth.js";
var BasicAuth = class {
  #context;
  #verify;
  constructor(context, verify) {
    this.#context = context;
    this.#verify = verify;
  }
  async authenticate(request) {
    try {
      const verified = await this.verify(request);
      const url = new URL(request.url);
      const action = url.searchParams.get("auth");
      switch (action) {
        case AuthAction.Status: {
          return Response.json({
            type: AuthResultType.Authenticated,
            user: verified.user
          });
        }
        default:
          return new Response("Bad request", { status: 400 });
      }
    } catch {
      return unauthorized();
    }
  }
  async verify(request) {
    const ctx = this.#context;
    const auth = request.headers.get("Authorization");
    if (!auth) throw new MissingCredentialsError("Missing authorization header");
    const [scheme, token] = auth.split(" ", 2);
    if (scheme !== "Basic")
      throw new MissingCredentialsError("Invalid authorization scheme");
    const [username, password] = atob(token).split(":");
    const authorized = await this.#verify(username, password);
    if (!authorized) throw new InvalidCredentialsError("Invalid credentials");
    return {
      ...ctx,
      user: { sub: username },
      token
    };
  }
};
function unauthorized() {
  return new Response("Unauthorized", {
    status: 401,
    headers: {
      "WWW-Authenticate": 'Basic realm="Secure Area"'
    }
  });
}
export {
  BasicAuth
};