From 5e1e23e209eec75a396c18f8eee3d93a9e196bfc Mon Sep 17 00:00:00 2001
From: Dan Engelbrecht <dan.engelbrecht@epicgames.com>
Date: Tue, 17 Feb 2026 14:00:53 +0100
Subject: add http server root password protection (#757)

- Feature: Added `--security-config-path` option to zenserver to configure security settings
  - Expects a path to a .json file
  - Default is an empty path resulting in no extra security settings and legacy behavior
  - Current support is a top level filter of incoming http requests restricted to the `password` type
  - `password` type will check the `Authorization` header and match it to the selected authorization strategy
  - Currently the security settings is very basic and configured to a fixed username+password at startup

        {
            "http" {
                "root": {
                    "filter": {
                        "type": "password",
                        "config": {
	                          "password": {
	                              "username": "<username>",
	                              "password": "<password>"
	                          },
                            "protect-machine-local-requests": false,
	                          "unprotected-uris": [
	                              "/health/",
	                              "/health/info",
	                              "/health/version"
	                          ]
                        }
                    }
                }
            }
        }
---
 src/zenhttp/servers/httpparser.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/zenhttp/servers/httpparser.cpp')

diff --git a/src/zenhttp/servers/httpparser.cpp b/src/zenhttp/servers/httpparser.cpp
index 93094e21b..be5befcd2 100644
--- a/src/zenhttp/servers/httpparser.cpp
+++ b/src/zenhttp/servers/httpparser.cpp
@@ -19,6 +19,7 @@ static constinit uint32_t HashExpect		= HashStringAsLowerDjb2("Expect"sv);
 static constinit uint32_t HashSession		= HashStringAsLowerDjb2("UE-Session"sv);
 static constinit uint32_t HashRequest		= HashStringAsLowerDjb2("UE-Request"sv);
 static constinit uint32_t HashRange			= HashStringAsLowerDjb2("Range"sv);
+static constinit uint32_t HashAuthorization = HashStringAsLowerDjb2("Authorization"sv);
 
 //////////////////////////////////////////////////////////////////////////
 //
@@ -154,6 +155,10 @@ HttpRequestParser::ParseCurrentHeader()
 	{
 		m_ContentTypeHeaderIndex = CurrentHeaderIndex;
 	}
+	else if (HeaderHash == HashAuthorization)
+	{
+		m_AuthorizationHeaderIndex = CurrentHeaderIndex;
+	}
 	else if (HeaderHash == HashSession)
 	{
 		m_SessionId = Oid::TryFromHexString(HeaderValue);
@@ -357,6 +362,7 @@ HttpRequestParser::ResetState()
 	m_AcceptHeaderIndex		   = -1;
 	m_ContentTypeHeaderIndex   = -1;
 	m_RangeHeaderIndex		   = -1;
+	m_AuthorizationHeaderIndex = -1;
 	m_Expect100Continue		   = false;
 	m_BodyBuffer			   = {};
 	m_BodyPosition			   = 0;
-- 
cgit v1.2.3