nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity

fix(security): require configurable secret for X-Special-Auth docker registry bypass

Browse source 
Replace hardcoded "docker-registry" check with a configurable secret via
DOCKER_REGISTRY_SECRET env var. When the env var is unset, the anonymous
docker registry bypass is disabled entirely, closing the unauthenticated
access path if the service is accidentally exposed directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
nemunaire 2026-03-06 14:47:08 +07:00
commit 7b568607a6
2 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
login.go
View file

@ -108,7 +108,7 @@ func httpBasicAuth(w http.ResponseWriter, r *http.Request) {
} }
return return
} }
} else if v := r.Header.Get("X-Special-Auth"); v == "docker-registry" { } else if dockerRegistrySecret != "" && r.Header.Get("X-Special-Auth") == dockerRegistrySecret {
method := r.Header.Get("X-Original-Method") method := r.Header.Get("X-Original-Method")
uri := r.Header.Get("X-Original-URI") uri := r.Header.Get("X-Original-URI")

7
main.go
View file

@ -19,6 +19,10 @@ import (
var myPublicURL = "https://ldap.nemunai.re" var myPublicURL = "https://ldap.nemunai.re"
// dockerRegistrySecret is required for X-Special-Auth anonymous access.
// If empty, the feature is disabled.
var dockerRegistrySecret string
var myLDAP = LDAP{ var myLDAP = LDAP{
Host: "localhost", Host: "localhost",
Port: 389, Port: 389,
@ -164,6 +168,9 @@ func main() {
if val, ok := os.LookupEnv("PUBLIC_URL"); ok { if val, ok := os.LookupEnv("PUBLIC_URL"); ok {
myPublicURL = val myPublicURL = val
} }
if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
dockerRegistrySecret = val
}
if flag.NArg() > 0 { if flag.NArg() > 0 {
switch flag.Arg(0) { switch flag.Arg(0) {