Add password authentication support

- Add password authentication option to AuthRouter
- Support SHA256 password hashing with multiple passwords
- Update login template with password form and improved styling
- Add password error handling and session management
- Integrate password auth with existing OAuth providers

Author: hrntknr

pkg/auth/main.go

@@ -2,9 +2,12 @@ package auth
 
 import (
 	"context"
+	"crypto/sha256"
 	"embed"
+	"fmt"
 	"html/template"
 	"net/http"
+	"strings"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -25,12 +28,13 @@ type Provider interface {
 }
 
 type AuthRouter struct {
-	providers           map[string]Provider
-	template            *template.Template
+	passswordHash        []string
+	providers            map[string]Provider
+	template             *template.Template
 	unauthorizedTemplate *template.Template
 }
 
-func NewAuthRouter(providers ...Provider) (*AuthRouter, error) {
+func NewAuthRouter(passwordHash []string, providers ...Provider) (*AuthRouter, error) {
 	providersMap := make(map[string]Provider)
 	for _, provider := range providers {
 		providersMap[provider.Name()] = provider
@@ -40,22 +44,24 @@ func NewAuthRouter(providers ...Provider) (*AuthRouter, error) {
 	if err != nil {
 		return nil, err
 	}
-	
+
 	unauthorizedTmpl, err := template.ParseFS(templateFS, "templates/unauthorized.html")
 	if err != nil {
 		return nil, err
 	}
 
 	return &AuthRouter{
-		providers:           providersMap,
-		template:            tmpl,
+		passswordHash:        passwordHash,
+		providers:            providersMap,
+		template:             tmpl,
 		unauthorizedTemplate: unauthorizedTmpl,
 	}, nil
 }
 
 const (
 	LoginEndpoint          = "/.auth/login"
 	LogoutEndpoint         = "/.auth/logout"
+	PasswordEndpoint       = "/.auth/password"
 	GoogleAuthEndpoint     = "/.auth/google"
 	GoogleCallbackEndpoint = "/.auth/google/callback"
 	GitHubAuthEndpoint     = "/.auth/github"
@@ -64,6 +70,7 @@ const (
 
 func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
 	router.GET(LoginEndpoint, a.handleLogin)
+	router.POST(PasswordEndpoint, a.handlePasswordAuth)
 	router.GET(LogoutEndpoint, a.handleLogout)
 	for providerName, provider := range a.providers {
 		router.GET(provider.RedirectURL(), func(c *gin.Context) {
@@ -111,10 +118,24 @@ func (a *AuthRouter) handleLogin(c *gin.Context) {
 		})
 	}
 
+	session := sessions.Default(c)
+	passwordError := session.Get("password_error")
+	session.Delete("password_error")
+	session.Save()
+
+	var passwordErrorStr string
+	if passwordError != nil {
+		passwordErrorStr = passwordError.(string)
+	}
+
 	data := struct {
-		Providers []ProviderData
+		Providers     []ProviderData
+		HasPassword   bool
+		PasswordError string
 	}{
-		Providers: providersData,
+		Providers:     providersData,
+		HasPassword:   len(a.passswordHash) > 0,
+		PasswordError: passwordErrorStr,
 	}
 
 	c.Header("Content-Type", "text/html; charset=utf-8")
@@ -124,6 +145,47 @@ func (a *AuthRouter) handleLogin(c *gin.Context) {
 	}
 }
 
+func (a *AuthRouter) handlePasswordAuth(c *gin.Context) {
+	password := c.PostForm("password")
+	if password == "" {
+		session := sessions.Default(c)
+		session.Set("password_error", "Password is required")
+		session.Save()
+		c.Redirect(http.StatusFound, LoginEndpoint)
+		return
+	}
+
+	hashedPassword := fmt.Sprintf("%x", sha256.Sum256([]byte(password)))
+
+	var isValid bool
+	for _, hash := range a.passswordHash {
+		if strings.EqualFold(hashedPassword, hash) {
+			isValid = true
+			break
+		}
+	}
+
+	if !isValid {
+		session := sessions.Default(c)
+		session.Set("password_error", "Invalid password")
+		session.Save()
+		c.Redirect(http.StatusFound, LoginEndpoint)
+		return
+	}
+
+	session := sessions.Default(c)
+	session.Set("provider", "password")
+	session.Set("user_id", "password_user")
+	session.Save()
+
+	redirectURL := session.Get("redirect_url")
+	if redirectURL == nil {
+		c.Redirect(http.StatusFound, "/")
+		return
+	}
+	c.Redirect(http.StatusFound, redirectURL.(string))
+}
+
 func (a *AuthRouter) handleLogout(c *gin.Context) {
 	session := sessions.Default(c)
 	session.Clear()
@@ -142,6 +204,13 @@ func (a *AuthRouter) RequireAuth() gin.HandlerFunc {
 			c.Redirect(http.StatusFound, LoginEndpoint)
 			return
 		}
+
+		// Allow password authentication
+		if providerName.(string) == "password" {
+			c.Next()
+			return
+		}
+
 		p, ok := a.providers[providerName.(string)]
 		if !ok {
 			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unknown provider"})

pkg/auth/templates/login.html

@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html lang="ja">
+<html lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
@@ -17,23 +17,96 @@
       }
       .login-container {
         background: white;
-        padding: 2rem;
-        border-radius: 10px;
-        box-shadow: 0 4px 20px rgba(0, 0, 0, 0.1);
+        padding: 2.5rem;
+        border-radius: 12px;
+        box-shadow: 0 8px 32px rgba(0, 0, 0, 0.12);
         text-align: center;
-        min-width: 300px;
+        min-width: 350px;
+        max-width: 400px;
+        width: 100%;
       }
       h1 {
         color: #333;
+        margin-bottom: 2rem;
+        font-size: 2rem;
+        font-weight: 600;
+      }
+      .password-form {
+        margin-bottom: 2rem;
+        padding-bottom: 2rem;
+        border-bottom: 1px solid #e5e5e5;
+      }
+      .form-group {
         margin-bottom: 1.5rem;
+        text-align: left;
+      }
+      .form-label {
+        display: block;
+        margin-bottom: 0.5rem;
+        color: #555;
+        font-weight: 500;
+        font-size: 0.9rem;
+      }
+      .form-input {
+        width: 100%;
+        padding: 12px 16px;
+        border: 2px solid #e1e5e9;
+        border-radius: 8px;
+        font-size: 16px;
+        transition: border-color 0.2s, box-shadow 0.2s;
+        box-sizing: border-box;
+      }
+      .form-input:focus {
+        outline: none;
+        border-color: #667eea;
+        box-shadow: 0 0 0 3px rgba(102, 126, 234, 0.1);
+      }
+      .password-button {
+        width: 100%;
+        padding: 12px 20px;
+        background: linear-gradient(45deg, #667eea, #764ba2);
+        color: white;
+        border: none;
+        border-radius: 8px;
+        font-size: 16px;
+        font-weight: 600;
+        cursor: pointer;
+        transition: transform 0.2s, box-shadow 0.2s;
+        box-sizing: border-box;
+      }
+      .password-button:hover {
+        transform: translateY(-2px);
+        box-shadow: 0 6px 20px rgba(102, 126, 234, 0.3);
+      }
+      .divider {
+        margin: 1.5rem 0;
+        position: relative;
+        color: #999;
+        font-size: 0.9rem;
+      }
+      .divider::before {
+        content: '';
+        position: absolute;
+        top: 50%;
+        left: 0;
+        right: 0;
+        height: 1px;
+        background: #e5e5e5;
+        z-index: 1;
+      }
+      .divider span {
+        background: white;
+        padding: 0 1rem;
+        position: relative;
+        z-index: 2;
       }
       .provider-button {
         display: block;
         width: 100%;
         padding: 12px 20px;
-        margin: 10px auto;
+        margin: 12px auto;
         text-decoration: none;
-        border-radius: 6px;
+        border-radius: 8px;
         font-size: 16px;
         font-weight: 500;
         transition: transform 0.2s, box-shadow 0.2s;
@@ -47,7 +120,7 @@
       }
       .provider-button:hover {
         transform: translateY(-2px);
-        box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15);
+        box-shadow: 0 6px 16px rgba(0, 0, 0, 0.15);
       }
       .google {
         background-color: #4285f4;
@@ -63,19 +136,41 @@
       .github:hover {
         background-color: #24292e;
       }
-      .description {
-        color: #666;
-        margin-bottom: 2rem;
-        line-height: 1.5;
+      .error-message {
+        color: #e74c3c;
+        font-size: 0.9rem;
+        margin-top: 0.5rem;
+        text-align: center;
       }
     </style>
   </head>
   <body>
     <div class="login-container">
       <h1>MCP Auth Proxy</h1>
-
+      
+      {{if .HasPassword}}
+      <form class="password-form" action="/.auth/password" method="POST">
+        <div class="form-group">
+          <label class="form-label" for="password">Password</label>
+          <input class="form-input" type="password" id="password" name="password" required>
+        </div>
+        <button class="password-button" type="submit">Login</button>
+        {{if .PasswordError}}
+        <div class="error-message">{{.PasswordError}}</div>
+        {{end}}
+      </form>
+      {{end}}
+      
+      {{if and .HasPassword .Providers}}
+      <div class="divider">
+        <span>or</span>
+      </div>
+      {{end}}
+      
       {{range .Providers}}
-      <a href="{{.URL}}" class="provider-button"> Login with {{.Name}} </a>
+      <a href="{{.URL}}" class="provider-button {{.Name | lower}}">
+        Login with {{.Name}}
+      </a>
       {{end}}
     </div>
   </body>

pkg/mcp-proxy/main.go

@@ -89,7 +89,7 @@ func Run(
 		providers = append(providers, githubProvider)
 	}
 
-	authRouter, err := auth.NewAuthRouter(providers...)
+	authRouter, err := auth.NewAuthRouter([]string{}, providers...)
 	if err != nil {
 		return fmt.Errorf("failed to create auth router: %w", err)
 	}