authN: first try local htpasswd then LDAP

We are noticing that LDAP connectivity issues and timeouts can affect authN behavior from client side (which can timeout as well). Instead, put local authN first so at least we have a reliable authN method. But, the caveat is that it is best if the local and LDAP user list doesn't overlap.
project-zot · Jan 15, 2020 · d64a3e3 · d64a3e3
1 parent 17ac1be
commit d64a3e3
Showing 1 changed file with 13 additions and 15 deletions.
diff --git a/pkg/api/auth.go b/pkg/api/auth.go
@@ -142,7 +142,17 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
 			username := pair[0]
 			passphrase := pair[1]
 
-			// prefer LDAP if configured
+			// first, HTTPPassword authN (which is local)
+			passphraseHash, ok := credMap[username]
+			if ok {
+				if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err == nil {
+					// Process request
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			// next, LDAP if configured (network-based which can lose connectivity)
 			if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {
 				ok, _, err := ldapClient.Authenticate(username, passphrase)
 				if ok && err == nil {
@@ -152,20 +162,8 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
 				}
 			}
 
-			// fallback to HTTPPassword
-			passphraseHash, ok := credMap[username]
-			if !ok {
-				authFail(w, realm, delay)
-				return
-			}
-
-			if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {
-				authFail(w, realm, delay)
-				return
-			}
-
-			// Process request
-			next.ServeHTTP(w, r)
+			authFail(w, realm, delay)
+			return
 		})
 	}
 }