Basic auth without password

1. Caddy version (caddy version):

2.2.1

2. How I run Caddy:

Within Docker image.

a. System environment:

Docker.

b. Command:

caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

d. My complete Caddyfile or JSON config:

{
    order log last

    admin :2099 {
        origins supervisor
        enforce_origin
    }
}

(tls-majority) {
    tls {$ACME_CA_EMAIL} {
        dns route53
    }

    header Strict-Transport-Security max-age=31536000;
}

(tls-alpha) {
    import tls-majority
}

(tls-beta) {
    import tls-majority
}

(tls-production) {
    import tls-majority
}

(tls-local) {
    tls {
        issuer zerossl {$ZERO_SSL_API_KEY} {
            dns route53
        }
    }
}

(default) {
    encode gzip

    log

    import tls-{$TARGET_ENV}
}

{$DOMAIN} {
    import default

    root * /www/app
    file_server

    @exceptProxy not path /favicon.ico /robots.txt
    reverse_proxy @exceptProxy http://app:{$APP_SERVICE_PORT_HTTP}
}

3. The problem I’m having:

I’m trying to use basic auth without a password:

{$DOMAIN} {
    import default

    root * /www/app
    file_server

    basicauth /services {
        username
    }

    @exceptProxy not path /favicon.ico /robots.txt
    reverse_proxy @exceptProxy http://app:{$APP_SERVICE_PORT_HTTP}
}

4. Error messages and/or full log output:

run: adapting config using caddyfile: parsing caddyfile tokens for 'basicauth': /etc/caddy/Caddyfile:125 - Error during parsing: username and password cannot be empty or missing

5. What I already tried:

Not providing a password.

6. Links to relevant resources:

I’m trying to secure a route that the Prismic headless CMS will execute on my site. Please view Set up Integration Fields - Prismic and read the authentication section in where it says:

The token will be used as the ‘username’ for the Basic Auth flow. The password will be left blank.

That’s a pretty strange requirement.

Since basic auth is actually just looking at the Authorization header, you can just use a header matcher instead. The header is usually in this pattern:

Authorization: Basic base64_encode("<username>:<password>")

So all you need to do is take your API key they’re talking about, append : to it, then base64 encode that. Then you can match on that header value like this:

@authenticated header Authorization "Basic <base64 value>"

You could just respond with respond "Unauthenticated" 401 if that doesn’t match (add a not to that matcher to invert it).

1 Like

Hey,

It’s a very strange requirement. That’s a great idea. Thanks for that!

cheers,
Scott.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.