Refactor password authentication to use bcrypt and improve UX

hrntknr · hrntknr · commit c667cdbeb673 · 2025-08-16T02:25:39.000Z
- Replace SHA256 with bcrypt for secure password hashing
- Add support for both plain password and pre-hashed password arguments
- Remove separate password endpoint, handle POST on login page directly
- Improve login form validation with inline error display
- Remove session-based error handling for simpler flow
- Update UI styling and fix template syntax issues
diff --git a/main.go b/main.go
@@ -27,6 +27,8 @@ func main() {
 	var githubClientID string
 	var githubClientSecret string
 	var githubAllowedUsers string
+	var password string
+	var passwordHash string
 
 	rootCmd := &cobra.Command{
 		Use: "mcp-warp",
@@ -59,6 +61,8 @@ func main() {
 				githubClientID,
 				githubClientSecret,
 				githubAllowedUsersList,
+				password,
+				passwordHash,
 			); err != nil {
 				panic(err)
 			}
@@ -70,17 +74,21 @@ func main() {
 	rootCmd.Flags().StringVarP(&externalURL, "external-url", "e", getEnvWithDefault("EXTERNAL_URL", "http://localhost:8081"), "External URL for the proxy")
 	rootCmd.Flags().StringVarP(&proxyURL, "proxy-url", "p", getEnvWithDefault("PROXY_URL", "http://localhost:8080"), "Proxy URL for the proxy")
 	rootCmd.Flags().StringVarP(&globalSecret, "global-secret", "s", getEnvWithDefault("GLOBAL_SECRET", "supersecret"), "Global secret for the proxy")
-	
+
 	// Google OAuth configuration
 	rootCmd.Flags().StringVar(&googleClientID, "google-client-id", getEnvWithDefault("GOOGLE_CLIENT_ID", ""), "Google OAuth client ID")
 	rootCmd.Flags().StringVar(&googleClientSecret, "google-client-secret", getEnvWithDefault("GOOGLE_CLIENT_SECRET", ""), "Google OAuth client secret")
 	rootCmd.Flags().StringVar(&googleAllowedUsers, "google-allowed-users", getEnvWithDefault("GOOGLE_ALLOWED_USERS", ""), "Comma-separated list of allowed Google users (emails)")
-	
+
 	// GitHub OAuth configuration
 	rootCmd.Flags().StringVar(&githubClientID, "github-client-id", getEnvWithDefault("GITHUB_CLIENT_ID", ""), "GitHub OAuth client ID")
 	rootCmd.Flags().StringVar(&githubClientSecret, "github-client-secret", getEnvWithDefault("GITHUB_CLIENT_SECRET", ""), "GitHub OAuth client secret")
 	rootCmd.Flags().StringVar(&githubAllowedUsers, "github-allowed-users", getEnvWithDefault("GITHUB_ALLOWED_USERS", ""), "Comma-separated list of allowed GitHub users (usernames)")
 
+	// Password authentication
+	rootCmd.Flags().StringVar(&password, "password", getEnvWithDefault("PASSWORD", ""), "Plain text password for authentication (will be hashed with bcrypt)")
+	rootCmd.Flags().StringVar(&passwordHash, "password-hash", getEnvWithDefault("PASSWORD_HASH", ""), "Bcrypt hash of password for authentication")
+
 	if err := rootCmd.Execute(); err != nil {
 		panic(err)
 	}
diff --git a/pkg/auth/main.go b/pkg/auth/main.go
@@ -2,15 +2,13 @@ package auth
 
 import (
 	"context"
-	"crypto/sha256"
 	"embed"
-	"fmt"
 	"html/template"
 	"net/http"
-	"strings"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 )
 
@@ -61,7 +59,6 @@ func NewAuthRouter(passwordHash []string, providers ...Provider) (*AuthRouter, e
 const (
 	LoginEndpoint          = "/.auth/login"
 	LogoutEndpoint         = "/.auth/logout"
-	PasswordEndpoint       = "/.auth/password"
 	GoogleAuthEndpoint     = "/.auth/google"
 	GoogleCallbackEndpoint = "/.auth/google/callback"
 	GitHubAuthEndpoint     = "/.auth/github"
@@ -70,7 +67,7 @@ const (
 
 func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
 	router.GET(LoginEndpoint, a.handleLogin)
-	router.POST(PasswordEndpoint, a.handlePasswordAuth)
+	router.POST(LoginEndpoint, a.handleLoginPost)
 	router.GET(LogoutEndpoint, a.handleLogout)
 	for providerName, provider := range a.providers {
 		router.GET(provider.RedirectURL(), func(c *gin.Context) {
@@ -110,6 +107,11 @@ type ProviderData struct {
 }
 
 func (a *AuthRouter) handleLogin(c *gin.Context) {
+	if c.Request.Method == "POST" {
+		a.handleLoginPost(c)
+		return
+	}
+
 	var providersData []ProviderData
 	for name := range a.providers {
 		providersData = append(providersData, ProviderData{
@@ -118,24 +120,14 @@ func (a *AuthRouter) handleLogin(c *gin.Context) {
 		})
 	}
 
-	session := sessions.Default(c)
-	passwordError := session.Get("password_error")
-	session.Delete("password_error")
-	session.Save()
-
-	var passwordErrorStr string
-	if passwordError != nil {
-		passwordErrorStr = passwordError.(string)
-	}
-
 	data := struct {
 		Providers     []ProviderData
 		HasPassword   bool
 		PasswordError string
 	}{
 		Providers:     providersData,
 		HasPassword:   len(a.passswordHash) > 0,
-		PasswordError: passwordErrorStr,
+		PasswordError: "",
 	}
 
 	c.Header("Content-Type", "text/html; charset=utf-8")
@@ -145,31 +137,52 @@ func (a *AuthRouter) handleLogin(c *gin.Context) {
 	}
 }
 
-func (a *AuthRouter) handlePasswordAuth(c *gin.Context) {
+func (a *AuthRouter) handleLoginPost(c *gin.Context) {
 	password := c.PostForm("password")
+	var errorMessage string
+
 	if password == "" {
-		session := sessions.Default(c)
-		session.Set("password_error", "Password is required")
-		session.Save()
-		c.Redirect(http.StatusFound, LoginEndpoint)
-		return
+		errorMessage = "Password is required"
+	} else {
+		var isValid bool
+		for _, hash := range a.passswordHash {
+			err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+			if err == nil {
+				isValid = true
+				break
+			}
+		}
+
+		if !isValid {
+			errorMessage = "Invalid password"
+		}
 	}
 
-	hashedPassword := fmt.Sprintf("%x", sha256.Sum256([]byte(password)))
+	if errorMessage != "" {
+		var providersData []ProviderData
+		for name := range a.providers {
+			providersData = append(providersData, ProviderData{
+				Name: name,
+				URL:  a.providers[name].AuthURL(),
+			})
+		}
 
-	var isValid bool
-	for _, hash := range a.passswordHash {
-		if strings.EqualFold(hashedPassword, hash) {
-			isValid = true
-			break
+		data := struct {
+			Providers     []ProviderData
+			HasPassword   bool
+			PasswordError string
+		}{
+			Providers:     providersData,
+			HasPassword:   len(a.passswordHash) > 0,
+			PasswordError: errorMessage,
 		}
-	}
 
-	if !isValid {
-		session := sessions.Default(c)
-		session.Set("password_error", "Invalid password")
-		session.Save()
-		c.Redirect(http.StatusFound, LoginEndpoint)
+		c.Header("Content-Type", "text/html; charset=utf-8")
+		c.Status(http.StatusBadRequest)
+		if err := a.template.Execute(c.Writer, data); err != nil {
+			c.AbortWithError(http.StatusInternalServerError, err)
+			return
+		}
 		return
 	}
 
diff --git a/pkg/auth/templates/login.html b/pkg/auth/templates/login.html
@@ -7,7 +7,7 @@
     <style>
       body {
         font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif;
-        background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+        background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);
         margin: 0;
         padding: 0;
         min-height: 100vh;
@@ -31,11 +31,6 @@
         font-size: 2rem;
         font-weight: 600;
       }
-      .password-form {
-        margin-bottom: 2rem;
-        padding-bottom: 2rem;
-        border-bottom: 1px solid #e5e5e5;
-      }
       .form-group {
         margin-bottom: 1.5rem;
         text-align: left;
@@ -85,7 +80,7 @@
         font-size: 0.9rem;
       }
       .divider::before {
-        content: '';
+        content: "";
         position: absolute;
         top: 50%;
         left: 0;
@@ -122,18 +117,18 @@
         transform: translateY(-2px);
         box-shadow: 0 6px 16px rgba(0, 0, 0, 0.15);
       }
-      .google {
+      .Google {
         background-color: #4285f4;
         color: white;
       }
-      .google:hover {
+      .Google:hover {
         background-color: #357ae8;
       }
-      .github {
+      .GitHub {
         background-color: #333;
         color: white;
       }
-      .github:hover {
+      .GitHub:hover {
         background-color: #24292e;
       }
       .error-message {
@@ -147,28 +142,30 @@
   <body>
     <div class="login-container">
       <h1>MCP Auth Proxy</h1>
-      
+
       {{if .HasPassword}}
-      <form class="password-form" action="/.auth/password" method="POST">
+      <form class="password-form" action="/.auth/login" method="POST">
         <div class="form-group">
           <label class="form-label" for="password">Password</label>
-          <input class="form-input" type="password" id="password" name="password" required>
+          <input
+            class="form-input"
+            type="password"
+            id="password"
+            name="password"
+            required
+          />
         </div>
         <button class="password-button" type="submit">Login</button>
         {{if .PasswordError}}
         <div class="error-message">{{.PasswordError}}</div>
         {{end}}
       </form>
-      {{end}}
-      
-      {{if and .HasPassword .Providers}}
+      {{end}} {{if and .HasPassword (gt (len .Providers) 0)}}
       <div class="divider">
         <span>or</span>
       </div>
-      {{end}}
-      
-      {{range .Providers}}
-      <a href="{{.URL}}" class="provider-button {{.Name | lower}}">
+      {{end}} {{range .Providers}}
+      <a href="{{.URL}}" class="provider-button {{.Name }}">
         Login with {{.Name}}
       </a>
       {{end}}
diff --git a/pkg/mcp-proxy/main.go b/pkg/mcp-proxy/main.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sigbit/mcp-auth-proxy/pkg/repository"
 	"github.com/sigbit/mcp-auth-proxy/pkg/utils"
 	"go.uber.org/zap"
+	"golang.org/x/crypto/bcrypt"
 )
 
 func Run(
@@ -33,6 +34,8 @@ func Run(
 	githubClientID string,
 	githubClientSecret string,
 	githubAllowedUsers []string,
+	password string,
+	passwordHash string,
 ) error {
 	parsedExternalURL, err := url.Parse(externalURL)
 	if err != nil {
@@ -89,7 +92,23 @@ func Run(
 		providers = append(providers, githubProvider)
 	}
 
-	authRouter, err := auth.NewAuthRouter([]string{}, providers...)
+	var passwordHashes []string
+
+	// Handle password argument - generate bcrypt hash if provided
+	if password != "" {
+		hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+		if err != nil {
+			return fmt.Errorf("failed to generate password hash: %w", err)
+		}
+		passwordHashes = append(passwordHashes, string(hash))
+	}
+
+	// Handle password-hash argument - use directly if provided
+	if passwordHash != "" {
+		passwordHashes = append(passwordHashes, passwordHash)
+	}
+
+	authRouter, err := auth.NewAuthRouter(passwordHashes, providers...)
 	if err != nil {
 		return fmt.Errorf("failed to create auth router: %w", err)
 	}
