From a896f2e032d9b9ba546fa92b3e95039e54123cb2 Mon Sep 17 00:00:00 2001
From: Roberto Alsina <roberto.alsina@gmail.com>
Date: Mon, 8 Jul 2024 13:34:54 -0300
Subject: [PATCH] Rethought login

---
 TODO.md               |  6 +++---
 src/commands/login.cr | 26 ++++++++++++++++++++++----
 src/daemon/config.cr  |  2 +-
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/TODO.md b/TODO.md
index ef527ef..11dd4a8 100644
--- a/TODO.md
+++ b/TODO.md
@@ -18,12 +18,12 @@
 * Sanitize all inputs
 * ✅ Streaming responses in slow operations like scaling down
   or building
-* Make more things configurable / remove hardcoded stuff
+* ✅ Make more things configurable / remove hardcoded stuff
   * ✅ Make server take options from file
   * ✅ Make server take options from environment
   * ✅ Make server password configurable
-  * admin/admin auth client side [WIP, broke everything]
-  * `faaso login` is not working properly yet with proxy
+  * ✅ admin/admin auth client side
+  * ✅ `faaso login` is not working properly yet with proxy
 * CD for binaries and images for at least arm64/x86
 * Multi-container docker logs [faaso logs -f FUNKO]
 * ✅ Direct error and above to stderr, others to stdout,
diff --git a/src/commands/login.cr b/src/commands/login.cr
index 09d5899..050d8ed 100644
--- a/src/commands/login.cr
+++ b/src/commands/login.cr
@@ -9,10 +9,28 @@ module Faaso
         else
           password = STDIN.gets.to_s
         end
-        # Testing with auth/ which is guaranteed locked
-        Crest.get(
-          "#{server}auth/", \
-             user: "admin", password: password).body
+        # This is tricky. If the service is running behind a reverse proxy
+        # then /version is locked, but if it's not, only /auth is locked.
+        # So we try /version first without a password, and if it succeeds
+        # we try /auth with the password. If /version fails, we try /version
+        # with the password
+        #
+        begin
+          # Version without password.
+          Crest.get("#{server}version/")
+          # Auth with password
+          begin
+            Crest.get("#{server}auth/", user: "admin", password: password)
+          rescue ex : Crest::Unauthorized
+            # Failed with auth/
+            Log.error { "Wrong password" }
+            return 1
+          end
+        rescue ex : Crest::Unauthorized
+          # Version with password
+          Crest.get("#{server}version/", user: "admin", password: password)
+        end
+
         # If we got here the password is ok
         CONFIG.hosts[server] = {"admin", password}
         Config.save
diff --git a/src/daemon/config.cr b/src/daemon/config.cr
index f45fb25..f64cac2 100644
--- a/src/daemon/config.cr
+++ b/src/daemon/config.cr
@@ -20,7 +20,7 @@ class Config
 end
 
 class ConfigAuthHandler < Kemal::BasicAuth::Handler
-  only ["/auth"]
+  only ["/auth", "/auth/*"]
 
   def call(context)
     return call_next(context) unless only_match?(context)