refactor: extract basic_auth_header helper, add plaintext credential warnings

- basic_auth_header() in config.rs replaces 6 inline STANDARD.encode calls - warn_plaintext_credentials() logs warning at startup if auth is in config.toml - All protocol handlers use shared helper instead of duplicating base64 logic
2026-04-12 23:10:32 +00:00 · 2026-03-15 21:37:51 +00:00
parent e02e63a972
commit 7345dfc7e7
7 changed files with 54 additions and 21 deletions
--- a/nora-registry/src/registry/docker.rs
+++ b/nora-registry/src/registry/docker.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::registry::docker_auth::DockerAuth;
 use crate::storage::Storage;
 use crate::validation::{validate_digest, validate_docker_name, validate_docker_reference};
@@ -15,7 +16,6 @@ use axum::{
    routing::{delete, get, head, patch, put},
    Json, Router,
 };
-use base64::{engine::general_purpose::STANDARD, Engine};
 use parking_lot::RwLock;
 use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
@@ -748,8 +748,7 @@ async fn fetch_blob_from_upstream(
    // First try — with basic auth if configured
    let mut request = client.get(&url).timeout(Duration::from_secs(timeout));
    if let Some(credentials) = basic_auth {
-        let encoded = STANDARD.encode(credentials);
-        request = request.header("Authorization", format!("Basic {}", encoded));
+        request = request.header("Authorization", basic_auth_header(credentials));
    }
    let response = request.send().await.map_err(|_| ())?;

@@ -817,8 +816,7 @@ async fn fetch_manifest_from_upstream(
        .timeout(Duration::from_secs(timeout))
        .header("Accept", accept_header);
    if let Some(credentials) = basic_auth {
-        let encoded = STANDARD.encode(credentials);
-        request = request.header("Authorization", format!("Basic {}", encoded));
+        request = request.header("Authorization", basic_auth_header(credentials));
    }
    let response = request.send().await.map_err(|e| {
        tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
--- a/nora-registry/src/registry/docker_auth.rs
+++ b/nora-registry/src/registry/docker_auth.rs
@@ -1,7 +1,7 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

-use base64::{engine::general_purpose::STANDARD, Engine};
+use crate::config::basic_auth_header;
 use parking_lot::RwLock;
 use std::collections::HashMap;
 use std::time::{Duration, Instant};
@@ -91,8 +91,7 @@ impl DockerAuth {

        let mut request = self.client.get(&url);
        if let Some(credentials) = basic_auth {
-            let encoded = STANDARD.encode(credentials);
-            request = request.header("Authorization", format!("Basic {}", encoded));
+            request = request.header("Authorization", basic_auth_header(credentials));
            tracing::debug!("Using basic auth for token request");
        }

@@ -123,8 +122,7 @@ impl DockerAuth {
        // First try — with basic auth if configured, otherwise anonymous
        let mut request = self.client.get(url);
        if let Some(credentials) = basic_auth {
-            let encoded = STANDARD.encode(credentials);
-            request = request.header("Authorization", format!("Basic {}", encoded));
+            request = request.header("Authorization", basic_auth_header(credentials));
        }
        let response = request.send().await.map_err(|_| ())?;

--- a/nora-registry/src/registry/maven.rs
+++ b/nora-registry/src/registry/maven.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
    body::Bytes,
@@ -12,7 +13,6 @@ use axum::{
    routing::{get, put},
    Router,
 };
-use base64::{engine::general_purpose::STANDARD, Engine};
 use std::sync::Arc;
 use std::time::Duration;

@@ -136,8 +136,7 @@ async fn fetch_from_proxy(
 ) -> Result<Vec<u8>, ()> {
    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
    if let Some(credentials) = auth {
-        let encoded = STANDARD.encode(credentials);
-        request = request.header("Authorization", format!("Basic {}", encoded));
+        request = request.header("Authorization", basic_auth_header(credentials));
    }
    let response = request.send().await.map_err(|_| ())?;

--- a/nora-registry/src/registry/npm.rs
+++ b/nora-registry/src/registry/npm.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
    body::Bytes,
@@ -12,7 +13,6 @@ use axum::{
    routing::get,
    Router,
 };
-use base64::{engine::general_purpose::STANDARD, Engine};
 use std::sync::Arc;
 use std::time::Duration;

@@ -108,8 +108,7 @@ async fn fetch_from_proxy(
 ) -> Result<Vec<u8>, ()> {
    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
    if let Some(credentials) = auth {
-        let encoded = STANDARD.encode(credentials);
-        request = request.header("Authorization", format!("Basic {}", encoded));
+        request = request.header("Authorization", basic_auth_header(credentials));
    }
    let response = request.send().await.map_err(|_| ())?;

--- a/nora-registry/src/registry/pypi.rs
+++ b/nora-registry/src/registry/pypi.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
    extract::{Path, State},
@@ -11,7 +12,6 @@ use axum::{
    routing::get,
    Router,
 };
-use base64::{engine::general_purpose::STANDARD, Engine};
 use std::sync::Arc;
 use std::time::Duration;

@@ -217,8 +217,7 @@ async fn fetch_package_page(
        .timeout(Duration::from_secs(timeout_secs))
        .header("Accept", "text/html");
    if let Some(credentials) = auth {
-        let encoded = STANDARD.encode(credentials);
-        request = request.header("Authorization", format!("Basic {}", encoded));
+        request = request.header("Authorization", basic_auth_header(credentials));
    }
    let response = request.send().await.map_err(|_| ())?;

@@ -238,8 +237,7 @@ async fn fetch_file(
 ) -> Result<Vec<u8>, ()> {
    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
    if let Some(credentials) = auth {
-        let encoded = STANDARD.encode(credentials);
-        request = request.header("Authorization", format!("Basic {}", encoded));
+        request = request.header("Authorization", basic_auth_header(credentials));
    }
    let response = request.send().await.map_err(|_| ())?;