add http server root password protection (#757)

- Feature: Added `--security-config-path` option to zenserver to configure security settings - Expects a path to a .json file - Default is an empty path resulting in no extra security settings and legacy behavior - Current support is a top level filter of incoming http requests restricted to the `password` type - `password` type will check the `Authorization` header and match it to the selected authorization strategy - Currently the security settings is very basic and configured to a fixed username+password at startup { "http" { "root": { "filter": { "type": "password", "config": { "password": { "username": "<username>", "password": "<password>" }, "protect-machine-local-requests": false, "unprotected-uris": [ "/health/", "/health/info", "/health/version" ] } } } } }
author: Dan Engelbrecht <[email protected]> 2026-02-17 14:00:53 +0100
committer: GitHub Enterprise <[email protected]> 2026-02-17 14:00:53 +0100
commit: 5e1e23e209eec75a396c18f8eee3d93a9e196bfc (patch)
tree: 31b2b3938468aacdb0621e8b932cb9e9738ee918 /src/zenhttp/servers
parent: misc fixes brought over from sb/proto (#759) (diff)
download: zen-5e1e23e209eec75a396c18f8eee3d93a9e196bfc.tar.xz
zen-5e1e23e209eec75a396c18f8eee3d93a9e196bfc.zip
7 files changed, 50 insertions, 14 deletions
diff --git a/src/zenhttp/servers/httpasio.cpp b/src/zenhttp/servers/httpasio.cpp
index 1f42b05d2..1c0ebef90 100644
--- a/src/zenhttp/servers/httpasio.cpp
+++ b/src/zenhttp/servers/httpasio.cpp
@@ -542,7 +542,8 @@ public:
 	virtual Oid		 ParseSessionId() const override;
 	virtual uint32_t ParseRequestId() const override;
 
-	virtual bool IsLocalMachineRequest() const override;
+	virtual bool			 IsLocalMachineRequest() const override;
+	virtual std::string_view GetAuthorizationHeader() const override;
 
 	virtual IoBuffer ReadPayload() override;
 	virtual void	 WriteResponse(HttpResponseCode ResponseCode) override;
@@ -1747,6 +1748,12 @@ HttpAsioServerRequest::IsLocalMachineRequest() const
 	return m_IsLocalMachineRequest;
 }
 
+std::string_view
+HttpAsioServerRequest::GetAuthorizationHeader() const
+{
+	return m_Request.AuthorizationHeader();
+}
+
 IoBuffer
 HttpAsioServerRequest::ReadPayload()
 {
@@ -1964,8 +1971,8 @@ HttpAsioServerImpl::FilterRequest(HttpServerRequest& Request)
 	{
 		return IHttpRequestFilter::Result::Accepted;
 	}
-	IHttpRequestFilter::Result FilterResult = RequestFilter->FilterRequest(Request);
-	return FilterResult;
+
+	return RequestFilter->FilterRequest(Request);
 }
 
 }  // namespace zen::asio_http
@@ -2080,6 +2087,7 @@ HttpAsioServer::OnRun(bool IsInteractive)
 
 			if (c == 27 || c == 'Q' || c == 'q')
 			{
+				m_ShutdownEvent.Set();
 				RequestApplicationExit(0);
 			}
 		}
diff --git a/src/zenhttp/servers/httpmulti.cpp b/src/zenhttp/servers/httpmulti.cpp
index 850d7d6b9..310ac9dc0 100644
--- a/src/zenhttp/servers/httpmulti.cpp
+++ b/src/zenhttp/servers/httpmulti.cpp
@@ -82,6 +82,7 @@ HttpMultiServer::OnRun(bool IsInteractiveSession)
 
 			if (c == 27 || c == 'Q' || c == 'q')
 			{
+				m_ShutdownEvent.Set();
 				RequestApplicationExit(0);
 			}
 		}
diff --git a/src/zenhttp/servers/httpnull.cpp b/src/zenhttp/servers/httpnull.cpp
index db360c5fb..9bb7ef3bc 100644
--- a/src/zenhttp/servers/httpnull.cpp
+++ b/src/zenhttp/servers/httpnull.cpp
@@ -57,6 +57,7 @@ HttpNullServer::OnRun(bool IsInteractiveSession)
 
 			if (c == 27 || c == 'Q' || c == 'q')
 			{
+				m_ShutdownEvent.Set();
 				RequestApplicationExit(0);
 			}
 		}
diff --git a/src/zenhttp/servers/httpparser.cpp b/src/zenhttp/servers/httpparser.cpp
index 93094e21b..be5befcd2 100644
--- a/src/zenhttp/servers/httpparser.cpp
+++ b/src/zenhttp/servers/httpparser.cpp
@@ -19,6 +19,7 @@ static constinit uint32_t HashExpect		= HashStringAsLowerDjb2("Expect"sv);
 static constinit uint32_t HashSession		= HashStringAsLowerDjb2("UE-Session"sv);
 static constinit uint32_t HashRequest		= HashStringAsLowerDjb2("UE-Request"sv);
 static constinit uint32_t HashRange			= HashStringAsLowerDjb2("Range"sv);
+static constinit uint32_t HashAuthorization = HashStringAsLowerDjb2("Authorization"sv);
 
 //////////////////////////////////////////////////////////////////////////
 //
@@ -154,6 +155,10 @@ HttpRequestParser::ParseCurrentHeader()
 	{
 		m_ContentTypeHeaderIndex = CurrentHeaderIndex;
 	}
+	else if (HeaderHash == HashAuthorization)
+	{
+		m_AuthorizationHeaderIndex = CurrentHeaderIndex;
+	}
 	else if (HeaderHash == HashSession)
 	{
 		m_SessionId = Oid::TryFromHexString(HeaderValue);
@@ -357,6 +362,7 @@ HttpRequestParser::ResetState()
 	m_AcceptHeaderIndex		   = -1;
 	m_ContentTypeHeaderIndex   = -1;
 	m_RangeHeaderIndex		   = -1;
+	m_AuthorizationHeaderIndex = -1;
 	m_Expect100Continue		   = false;
 	m_BodyBuffer			   = {};
 	m_BodyPosition			   = 0;
diff --git a/src/zenhttp/servers/httpparser.h b/src/zenhttp/servers/httpparser.h
index 0d2664ec5..ff56ca970 100644
--- a/src/zenhttp/servers/httpparser.h
+++ b/src/zenhttp/servers/httpparser.h
@@ -46,6 +46,8 @@ struct HttpRequestParser
 
 	std::string_view RangeHeader() const { return GetHeaderValue(m_RangeHeaderIndex); }
 
+	std::string_view AuthorizationHeader() const { return GetHeaderValue(m_AuthorizationHeaderIndex); }
+
 private:
 	struct HeaderRange
 	{
@@ -83,6 +85,7 @@ private:
 	int8_t								 m_AcceptHeaderIndex;
 	int8_t								 m_ContentTypeHeaderIndex;
 	int8_t								 m_RangeHeaderIndex;
+	int8_t								 m_AuthorizationHeaderIndex;
 	HttpVerb							 m_RequestVerb;
 	std::atomic_bool					 m_KeepAlive{false};
 	bool								 m_Expect100Continue = false;
diff --git a/src/zenhttp/servers/httpplugin.cpp b/src/zenhttp/servers/httpplugin.cpp
index 4219dc292..8564826d6 100644
--- a/src/zenhttp/servers/httpplugin.cpp
+++ b/src/zenhttp/servers/httpplugin.cpp
@@ -147,10 +147,10 @@ public:
 	HttpPluginServerRequest& operator=(const HttpPluginServerRequest&) = delete;
 
 	// As this is plugin transport connection used for specialized connections we assume it is not a machine local connection
-	virtual bool IsLocalMachineRequest() const /* override*/ { return false; }
-
-	virtual Oid		 ParseSessionId() const override;
-	virtual uint32_t ParseRequestId() const override;
+	virtual bool			 IsLocalMachineRequest() const /* override*/ { return false; }
+	virtual std::string_view GetAuthorizationHeader() const override;
+	virtual Oid				 ParseSessionId() const override;
+	virtual uint32_t		 ParseRequestId() const override;
 
 	virtual IoBuffer ReadPayload() override;
 	virtual void	 WriteResponse(HttpResponseCode ResponseCode) override;
@@ -636,6 +636,12 @@ HttpPluginServerRequest::~HttpPluginServerRequest()
 {
 }
 
+std::string_view
+HttpPluginServerRequest::GetAuthorizationHeader() const
+{
+	return m_Request.AuthorizationHeader();
+}
+
 Oid
 HttpPluginServerRequest::ParseSessionId() const
 {
@@ -831,6 +837,7 @@ HttpPluginServerImpl::OnRun(bool IsInteractive)
 
 			if (c == 27 || c == 'Q' || c == 'q')
 			{
+				m_ShutdownEvent.Set();
 				RequestApplicationExit(0);
 			}
 		}
@@ -932,8 +939,7 @@ HttpPluginServerImpl::FilterRequest(HttpServerRequest& Request)
 	{
 		return IHttpRequestFilter::Result::Accepted;
 	}
-	IHttpRequestFilter::Result FilterResult = RequestFilter->FilterRequest(Request);
-	return FilterResult;
+	return RequestFilter->FilterRequest(Request);
 }
 
 //////////////////////////////////////////////////////////////////////////
diff --git a/src/zenhttp/servers/httpsys.cpp b/src/zenhttp/servers/httpsys.cpp
index 5fed94f1c..14896c803 100644
--- a/src/zenhttp/servers/httpsys.cpp
+++ b/src/zenhttp/servers/httpsys.cpp
@@ -72,6 +72,8 @@ GetAddressString(StringBuilderBase& OutString, const SOCKADDR* SockAddr, bool In
 	OutString.Append("unknown");
 }
 
+class HttpSysServerRequest;
+
 /**
  * @brief Windows implementation of HTTP server based on http.sys
  *
@@ -102,7 +104,7 @@ public:
 	inline bool IsOk() const { return m_IsOk; }
 	inline bool IsAsyncResponseEnabled() const { return m_IsAsyncResponseEnabled; }
 
-	IHttpRequestFilter::Result FilterRequest(HttpServerRequest& Request);
+	IHttpRequestFilter::Result FilterRequest(HttpSysServerRequest& Request);
 
 private:
 	int	 InitializeServer(int BasePort);
@@ -319,7 +321,8 @@ public:
 	virtual Oid		 ParseSessionId() const override;
 	virtual uint32_t ParseRequestId() const override;
 
-	virtual bool IsLocalMachineRequest() const;
+	virtual bool			 IsLocalMachineRequest() const;
+	virtual std::string_view GetAuthorizationHeader() const override;
 
 	virtual IoBuffer ReadPayload() override;
 	virtual void	 WriteResponse(HttpResponseCode ResponseCode) override;
@@ -1364,6 +1367,7 @@ HttpSysServer::OnRun(bool IsInteractive)
 
 				if (c == 27 || c == 'Q' || c == 'q')
 				{
+					m_ShutdownEvent.Set();
 					RequestApplicationExit(0);
 				}
 			}
@@ -1861,6 +1865,14 @@ HttpSysServerRequest::IsLocalMachineRequest() const
 	}
 }
 
+std::string_view
+HttpSysServerRequest::GetAuthorizationHeader() const
+{
+	const HTTP_REQUEST*		 HttpRequestPtr		 = m_HttpTx.HttpRequest();
+	const HTTP_KNOWN_HEADER& AuthorizationHeader = HttpRequestPtr->Headers.KnownHeaders[HttpHeaderAuthorization];
+	return std::string_view(AuthorizationHeader.pRawValue, AuthorizationHeader.RawValueLength);
+}
+
 IoBuffer
 HttpSysServerRequest::ReadPayload()
 {
@@ -2270,7 +2282,7 @@ HttpSysServer::OnSetHttpRequestFilter(IHttpRequestFilter* RequestFilter)
 }
 
 IHttpRequestFilter::Result
-HttpSysServer::FilterRequest(HttpServerRequest& Request)
+HttpSysServer::FilterRequest(HttpSysServerRequest& Request)
 {
 	if (!m_HttpRequestFilter.load())
 	{
@@ -2282,8 +2294,7 @@ HttpSysServer::FilterRequest(HttpServerRequest& Request)
 	{
 		return IHttpRequestFilter::Result::Accepted;
 	}
-	IHttpRequestFilter::Result FilterResult = RequestFilter->FilterRequest(Request);
-	return FilterResult;
+	return RequestFilter->FilterRequest(Request);
 }
 
 Ref<HttpServer>
author	Dan Engelbrecht <[email protected]>	2026-02-17 14:00:53 +0100
committer	GitHub Enterprise <[email protected]>	2026-02-17 14:00:53 +0100
commit	5e1e23e209eec75a396c18f8eee3d93a9e196bfc (patch)
tree	31b2b3938468aacdb0621e8b932cb9e9738ee918 /src/zenhttp/servers
parent	misc fixes brought over from sb/proto (#759) (diff)
download	zen-5e1e23e209eec75a396c18f8eee3d93a9e196bfc.tar.xz zen-5e1e23e209eec75a396c18f8eee3d93a9e196bfc.zip