1 files changed, 26 insertions, 3 deletions

diff --git a/libmproxy/web/app.py b/libmproxy/web/app.py
index 958b8669..2c45a1dc 100644
--- a/libmproxy/web/app.py
+++ b/libmproxy/web/app.py
@@ -4,6 +4,7 @@ import tornado.web
 import tornado.websocket
 import logging
 import json
+import base64
 
 from netlib.http import CONTENT_MISSING
 from .. import version, filt
@@ -40,7 +41,28 @@ class APIError(tornado.web.HTTPError):
     pass
 
 
-class RequestHandler(tornado.web.RequestHandler):
+class BasicAuth(object):
+    def set_auth_headers(self):
+        self.set_status(401)
+        self.set_header('WWW-Authenticate', 'Basic realm=MITMWeb')
+        self._transforms = []
+        self.finish()
+
+    def prepare(self):
+        wauthenticator = self.application.settings['wauthenticator']
+        if wauthenticator:
+            auth_header = self.request.headers.get('Authorization')
+            if auth_header is None or not auth_header.startswith('Basic '):
+                self.set_auth_headers()
+            else:
+                self.auth_decoded = base64.decodestring(auth_header[6:])
+                self.username, self.password = self.auth_decoded.split(':', 2)
+                if not wauthenticator.test(self.username, self.password):
+                    self.set_auth_headers()
+                    raise APIError(401, "Invalid username or password.")
+
+
+class RequestHandler(BasicAuth, tornado.web.RequestHandler):
 
     def set_default_headers(self):
         super(RequestHandler, self).set_default_headers()
@@ -100,7 +122,7 @@ class FiltHelp(RequestHandler):
         ))
 
 
-class WebSocketEventBroadcaster(tornado.websocket.WebSocketHandler):
+class WebSocketEventBroadcaster(BasicAuth, tornado.websocket.WebSocketHandler):
     # raise an error if inherited class doesn't specify its own instance.
     connections = None
 
@@ -284,7 +306,7 @@ class Settings(RequestHandler):
 
 class Application(tornado.web.Application):
 
-    def __init__(self, master, debug):
+    def __init__(self, master, debug, wauthenticator):
         self.master = master
         handlers = [
             (r"/", IndexHandler),
@@ -308,5 +330,6 @@ class Application(tornado.web.Application):
             xsrf_cookies=True,
             cookie_secret=os.urandom(256),
             debug=debug,
+            wauthenticator=wauthenticator,
         )
         super(Application, self).__init__(handlers, **settings)