3 files changed, 68 insertions, 28 deletions

diff --git a/src/zenhttp/include/zenhttp/httpserver.h b/src/zenhttp/include/zenhttp/httpserver.h
index cbac06cb6..350532126 100644
--- a/src/zenhttp/include/zenhttp/httpserver.h
+++ b/src/zenhttp/include/zenhttp/httpserver.h
@@ -101,7 +101,8 @@ public:
 	CbObject  ReadPayloadObject();
 	CbPackage ReadPayloadPackage();
 
-	virtual bool IsLocalMachineRequest() const = 0;
+	virtual bool			 IsLocalMachineRequest() const	= 0;
+	virtual std::string_view GetAuthorizationHeader() const = 0;
 
 	/** Respond with payload
 
@@ -162,8 +163,10 @@ public:
 	virtual void	 OnRequestComplete()								   = 0;
 };
 
-struct IHttpRequestFilter
+class IHttpRequestFilter
 {
+public:
+	virtual ~IHttpRequestFilter() {}
 	enum class Result
 	{
 		Forbidden,
diff --git a/src/zenhttp/include/zenhttp/security/passwordsecurity.h b/src/zenhttp/include/zenhttp/security/passwordsecurity.h
index 026c2865b..6b2b548a6 100644
--- a/src/zenhttp/include/zenhttp/security/passwordsecurity.h
+++ b/src/zenhttp/include/zenhttp/security/passwordsecurity.h
@@ -10,43 +10,29 @@ ZEN_THIRD_PARTY_INCLUDES_END
 
 namespace zen {
 
-struct PasswordSecurityConfiguration
-{
-	std::string				 Password;							   // "password"
-	bool					 ProtectMachineLocalRequests = false;  // "protect-machine-local-requests"
-	std::vector<std::string> UnprotectedUris;					   // "unprotected-urls"
-};
-
 class PasswordSecurity
 {
 public:
-	PasswordSecurity(const PasswordSecurityConfiguration& Config);
+	struct Configuration
+	{
+		std::string				 Password;
+		bool					 ProtectMachineLocalRequests = false;
+		std::vector<std::string> UnprotectedUris;
+	};
+
+	explicit PasswordSecurity(const Configuration& Config);
 
 	[[nodiscard]] inline std::string_view Password() const { return m_Config.Password; }
 	[[nodiscard]] inline bool			  ProtectMachineLocalRequests() const { return m_Config.ProtectMachineLocalRequests; }
-	[[nodiscard]] bool					  IsUnprotectedUri(std::string_view Uri) const;
+	[[nodiscard]] bool					  IsUnprotectedUri(std::string_view BaseUri, std::string_view RelativeUri) const;
 
-	bool IsAllowed(std::string_view Password, std::string_view Uri, bool IsMachineLocalRequest);
+	bool IsAllowed(std::string_view Password, std::string_view BaseUri, std::string_view RelativeUri, bool IsMachineLocalRequest);
 
 private:
-	const PasswordSecurityConfiguration m_Config;
-	tsl::robin_map<uint32_t, uint32_t>	m_UnprotectedUrlHashes;
+	const Configuration				   m_Config;
+	tsl::robin_map<uint32_t, uint32_t> m_UnprotectedUriHashes;
 };
 
-/**
- * Expected format (Json)
- *	{
- *		"password\": \"1234\",
- *		"protect-machine-local-requests\": false,
- *		"unprotected-urls\": [
- *			"/health\",
- *			"/health/info\",
- *			"/health/version\"
- *		]
- *	}
- */
-PasswordSecurityConfiguration ReadPasswordSecurityConfiguration(CbObjectView ConfigObject);
-
 void passwordsecurity_forcelink();	// internal
 
 }  // namespace zen
diff --git a/src/zenhttp/include/zenhttp/security/passwordsecurityfilter.h b/src/zenhttp/include/zenhttp/security/passwordsecurityfilter.h
new file mode 100644
index 000000000..c098f05ad
--- /dev/null
+++ b/src/zenhttp/include/zenhttp/security/passwordsecurityfilter.h
@@ -0,0 +1,51 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#pragma once
+
+#include <zenhttp/httpserver.h>
+#include <zenhttp/security/passwordsecurity.h>
+
+namespace zen {
+
+class PasswordHttpFilter : public IHttpRequestFilter
+{
+public:
+	static constexpr std::string_view TypeName = "password";
+
+	struct Configuration
+	{
+		PasswordSecurity::Configuration PasswordConfig;
+		std::string						AuthenticationTypeString;
+	};
+
+	/**
+	 * Expected format (Json)
+	 *	{
+	 *      "password": {						# "Authorization: Basic <username:password base64 encoded>" style
+	 *         "username": "<username>",
+	 *         "password": "<password>"
+	 *      },
+	 *		"protect-machine-local-requests": false,
+	 *		"unprotected-uris": [
+	 *			"/health/",
+	 *			"/health/info",
+	 *			"/health/version"
+	 *		]
+	 *	}
+	 */
+	static Configuration ReadConfiguration(CbObjectView Config);
+
+	explicit PasswordHttpFilter(const PasswordHttpFilter::Configuration& Config)
+	: m_PasswordSecurity(Config.PasswordConfig)
+	, m_AuthenticationTypeString(Config.AuthenticationTypeString)
+	{
+	}
+
+	virtual Result FilterRequest(HttpServerRequest& Request) override;
+
+private:
+	PasswordSecurity  m_PasswordSecurity;
+	const std::string m_AuthenticationTypeString;
+};
+
+}  // namespace zen