From 921052dff55e072402785fe69d9ed682814e0679 Mon Sep 17 00:00:00 2001
From: baldo <baldo@toppoint.de>
Date: Tue, 24 May 2016 19:40:02 +0200
Subject: [PATCH] Protect logging backend.

---
 config.json.example |  6 ++++++
 package.json        |  1 +
 server/app.js       | 16 ++++++++++++++++
 server/config.js    |  6 ++++++
 server/logger.js    |  4 +++-
 5 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/config.json.example b/config.json.example
index 162af75..6830415 100644
--- a/config.json.example
+++ b/config.json.example
@@ -12,6 +12,12 @@
             "logRequests": false
         },
 
+        "internal": {
+            "active": false,
+            "user": "admin",
+            "password": "secret"
+        },
+
         "email": {
             "from": "Freifunk Knotenformular <no-reply@musterstadt.freifunk.net>",
 
diff --git a/package.json b/package.json
index d28d365..05d01d4 100644
--- a/package.json
+++ b/package.json
@@ -34,6 +34,7 @@
         "grunt-svgmin": "~3.2.0",
         "grunt-usemin": "~3.1.1",
         "grunt-wiredep": "~3.0.1",
+        "http-auth": "~2.3.6",
         "http-errors": "~1.4.0",
         "imagemin-gifsicle": "~5.0.0",
         "jshint-stylish": "~2.2.0",
diff --git a/server/app.js b/server/app.js
index c24e315..953c0e9 100644
--- a/server/app.js
+++ b/server/app.js
@@ -2,11 +2,27 @@
 
 angular.module('ffffng').factory('app', function (fs, config, _) {
     var express = require('express');
+    var auth = require('http-auth');
     var bodyParser = require('body-parser');
     var compress = require('compression');
 
     var app = express();
 
+    // urls beneath /internal are protected
+    var internalAuth = auth.basic(
+        {
+            realm: "Knotenformular - Intern"
+        },
+        function (username, password, callback) {
+            callback(
+                config.server.internal.active &&
+                username === config.server.internal.user &&
+                password === config.server.internal.password
+            );
+        }
+    );
+    app.use('/internal', auth.connect(internalAuth));
+
     app.use(bodyParser.json());
 
     var clientDir = __dirname + '/../client';
diff --git a/server/config.js b/server/config.js
index 4a70f84..c28c773 100644
--- a/server/config.js
+++ b/server/config.js
@@ -17,6 +17,12 @@ var defaultConfig = {
             logRequests: false
         },
 
+        internal: {
+            active: false,
+            user: 'admin',
+            password: 'secret'
+        },
+
         email: {
             from: 'Freifunk Knotenformular <no-reply@musterstadt.freifunk.net>',
 
diff --git a/server/logger.js b/server/logger.js
index d751ce4..4c17da1 100644
--- a/server/logger.js
+++ b/server/logger.js
@@ -30,7 +30,9 @@ angular.module('ffffng').factory('Logger', function (app) {
     if (config.server.logging.logRequests) {
         app.use(scribe.express.logger());
     }
-    app.use('/internal/logs', scribe.webPanel());
+    if (config.server.internal.active) {
+        app.use('/internal/logs', scribe.webPanel());
+    }
 
     return process.console;
 });