Add read only user (#7862)

* add readonly user * add args * address comments * avoid same user name * Prevents timing attacks * doc --------- Co-authored-by: Chris Lu <chris.lu@gmail.com>
2025-12-25 13:18:16 -08:00
parent e8a41ec053
commit 225e3d0302
7 changed files with 171 additions and 50 deletions
--- a/weed/admin/dash/auth_middleware.go
+++ b/weed/admin/dash/auth_middleware.go
@@ -1,6 +1,7 @@
 package dash

 import (
+	"crypto/subtle"
 	"net/http"

 	"github.com/gin-contrib/sessions"
@@ -25,17 +26,31 @@ func (s *AdminServer) ShowLogin(c *gin.Context) {
 }

 // HandleLogin handles login form submission
-func (s *AdminServer) HandleLogin(username, password string) gin.HandlerFunc {
+func (s *AdminServer) HandleLogin(adminUser, adminPassword, readOnlyUser, readOnlyPassword string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		loginUsername := c.PostForm("username")
 		loginPassword := c.PostForm("password")

-		if loginUsername == username && loginPassword == password {
+		var role string
+		var authenticated bool
+
+		// Check admin credentials
+		if adminPassword != "" && loginUsername == adminUser && subtle.ConstantTimeCompare([]byte(loginPassword), []byte(adminPassword)) == 1 {
+			role = "admin"
+			authenticated = true
+		} else if readOnlyPassword != "" && loginUsername == readOnlyUser && subtle.ConstantTimeCompare([]byte(loginPassword), []byte(readOnlyPassword)) == 1 {
+			// Check read-only credentials
+			role = "readonly"
+			authenticated = true
+		}
+
+		if authenticated {
 			session := sessions.Default(c)
 			// Clear any existing invalid session data before setting new values
 			session.Clear()
 			session.Set("authenticated", true)
 			session.Set("username", loginUsername)
+			session.Set("role", role)
 			if err := session.Save(); err != nil {
 				// Log the detailed error server-side for diagnostics
 				glog.Errorf("Failed to save session for user %s: %v", loginUsername, err)