From 5e5130c398ea57ae0e7793e0087ce1e433e9ea05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <tdiot@bunkerity.com>
Date: Tue, 31 Dec 2024 18:28:49 +0000
Subject: [PATCH] [#1467] Add multi-user support in Auth basic plugin with
 dynamic user-password handling and update AUTH_BASIC_LOCATION regex to be
 more open

---
 CHANGELOG.md                                         |  1 +
 src/common/core/authbasic/confs/server-http/htpasswd | 12 ++++++++++--
 src/common/core/authbasic/plugin.json                |  8 +++++---
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8908d334e..0859c06bc9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - [FEATURE] Add country tracking to bans data
 - [FEATURE] Refactored the way the database migrations are handled to make it more reliable and faster using alembic
 - [FEATURE] Add configurable limit for SecRequestBodyNoFilesLimit in ModSecurity via the `MODSECURITY_REQ_BODY_NO_FILES_LIMIT` setting
+- [FEATURE] Add multi-user support in `Auth basic` plugin
 - [DEPRECATION] Remove `X-XSS-Protection` header from the `header` plugin as it is deprecated
 - [DEPS] Updated coreruleset-v4 version to v4.10.0
 
diff --git a/src/common/core/authbasic/confs/server-http/htpasswd b/src/common/core/authbasic/confs/server-http/htpasswd
index 726ee426bd..20cd0d2a38 100644
--- a/src/common/core/authbasic/confs/server-http/htpasswd
+++ b/src/common/core/authbasic/confs/server-http/htpasswd
@@ -1,4 +1,12 @@
 {%- if USE_AUTH_BASIC == "yes" -%}
 {%- set passlib_hash = import('passlib.hash') -%}
-{{ AUTH_BASIC_USER }}:{{ passlib_hash.sha512_crypt.hash(AUTH_BASIC_PASSWORD) }}
-{%- endif %}
+	{% for k, v in all.items() %}
+		{% if k.startswith("AUTH_BASIC_USER") and v != "" -%}
+			{% set user = v %}
+			{% set password = all[k.replace("USER", "PASSWORD")] if k.replace("USER", "PASSWORD") in all else "" %}
+			{% if password != "" %}
+{{ user }}:{{ passlib_hash.sha512_crypt.hash(password) }}
+			{% endif %}
+		{% endif %}
+	{% endfor %}
+{% endif %}
diff --git a/src/common/core/authbasic/plugin.json b/src/common/core/authbasic/plugin.json
index cab4f5ff4e..a929403c44 100644
--- a/src/common/core/authbasic/plugin.json
+++ b/src/common/core/authbasic/plugin.json
@@ -20,7 +20,7 @@
       "help": "URL of the protected resource or sitewide value.",
       "id": "auth-basic-location",
       "label": "Auth basic Location",
-      "regex": "^(sitewide|/[a-zA-Z0-9.\\/\\-]*)$",
+      "regex": "^.*$",
       "type": "text"
     },
     "AUTH_BASIC_USER": {
@@ -30,7 +30,8 @@
       "id": "auth-basic-user",
       "label": "Auth basic Username",
       "regex": "^[\\w\\-]+",
-      "type": "text"
+      "type": "text",
+      "multiple": "auth-basic-credentials"
     },
     "AUTH_BASIC_PASSWORD": {
       "context": "multisite",
@@ -39,7 +40,8 @@
       "id": "auth-basic-password",
       "label": "Password",
       "regex": "^.+",
-      "type": "password"
+      "type": "password",
+      "multiple": "auth-basic-credentials"
     },
     "AUTH_BASIC_TEXT": {
       "context": "multisite",