From 7b568607a6eda1049f809229173dc0518397162b Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Fri, 6 Mar 2026 14:47:08 +0700
Subject: [PATCH] fix(security): require configurable secret for X-Special-Auth
 docker registry bypass

Replace hardcoded "docker-registry" check with a configurable secret via
DOCKER_REGISTRY_SECRET env var. When the env var is unset, the anonymous
docker registry bypass is disabled entirely, closing the unauthenticated
access path if the service is accidentally exposed directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 login.go | 2 +-
 main.go  | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/login.go b/login.go
index 14b9fef..cd72b3c 100644
--- a/login.go
+++ b/login.go
@@ -108,7 +108,7 @@ func httpBasicAuth(w http.ResponseWriter, r *http.Request) {
 			}
 			return
 		}
-	} else if v := r.Header.Get("X-Special-Auth"); v == "docker-registry" {
+	} else if dockerRegistrySecret != "" && r.Header.Get("X-Special-Auth") == dockerRegistrySecret {
 		method := r.Header.Get("X-Original-Method")
 		uri := r.Header.Get("X-Original-URI")
 
diff --git a/main.go b/main.go
index 67e4234..f2c4c37 100644
--- a/main.go
+++ b/main.go
@@ -19,6 +19,10 @@ import (
 
 var myPublicURL = "https://ldap.nemunai.re"
 
+// dockerRegistrySecret is required for X-Special-Auth anonymous access.
+// If empty, the feature is disabled.
+var dockerRegistrySecret string
+
 var myLDAP = LDAP{
 	Host:     "localhost",
 	Port:     389,
@@ -164,6 +168,9 @@ func main() {
 	if val, ok := os.LookupEnv("PUBLIC_URL"); ok {
 		myPublicURL = val
 	}
+	if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
+		dockerRegistrySecret = val
+	}
 
 	if flag.NArg() > 0 {
 		switch flag.Arg(0) {