From 523047ad0662109cf5eded9c17c92ab66a99eb2a Mon Sep 17 00:00:00 2001
From: ravenclaw900 <50060110+ravenclaw900@users.noreply.github.com>
Date: Sat, 12 Jun 2021 16:23:33 -0500
Subject: [PATCH] Add possibility to store password hashed

---
 README.md            | 12 ++++++++++++
 pkg/util/net/http.go | 26 ++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 028ff914..1a525709 100644
--- a/README.md
+++ b/README.md
@@ -906,6 +906,18 @@ http_user = abc
 http_pwd = abc
 ```
 
+You can also use a BCrypt encrypted hash as your password.
+
+```ini
+# frpc.ini
+[web]
+type = http
+local_port = 80
+custom_domains = test.example.com
+http_user = abc
+http_pwd = $2a$10$q92.cZZ5/Q0P2cVrRZomquuQdvCEAG9Zx6yoE4GG.Yvq0CiiCDQIW
+```
+
 Visit `http://test.example.com` in the browser and now you are prompted to enter the username and password.
 
 ### Custom Subdomain Names
diff --git a/pkg/util/net/http.go b/pkg/util/net/http.go
index fa1c34af..de4d81a5 100644
--- a/pkg/util/net/http.go
+++ b/pkg/util/net/http.go
@@ -19,6 +19,8 @@ import (
 	"io"
 	"net/http"
 	"strings"
+
+	"golang.org/x/crypto/bcrypt"
 )
 
 type HTTPAuthWraper struct {
@@ -63,7 +65,17 @@ func (authMid *HTTPAuthMiddleware) Middleware(next http.Handler) http.Handler {
 		if (authMid.user == "" && authMid.passwd == "") ||
 			(hasAuth && reqUser == authMid.user && reqPasswd == authMid.passwd) {
 			next.ServeHTTP(w, r)
-		} else {
+		} 
+		else if (authMid.user == reqUser && authMid.passwd[:4] == "$2a$") {
+			correct := bcrypt.CompareHashAndPassword([]byte(reqPasswd), []byte(authMid.passwd))
+			if (correct == nil) {
+				next.ServeHTTP(w, r)
+			} else {
+				w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			}
+		}
+		else {
 			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 		}
@@ -76,7 +88,17 @@ func HTTPBasicAuth(h http.HandlerFunc, user, passwd string) http.HandlerFunc {
 		if (user == "" && passwd == "") ||
 			(hasAuth && reqUser == user && reqPasswd == passwd) {
 			h.ServeHTTP(w, r)
-		} else {
+		}
+		else if (user == reqUser && authMid.passwd[:4] == "$2a$") {
+			correct := bcrypt.CompareHashAndPassword([]byte(reqPasswd), []byte(authMid.passwd))
+			if (correct == nil) {
+				h.ServeHTTP(w, r)
+			} else {
+				w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			}
+		} 
+		else {
 			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 		}