Allow Authorization: Basic as a fallback for GitHub, etc.

README.md

@@ -57,7 +57,7 @@ DNS is used for authorization of content updates.
 
 - If a `[wildcard]` configuration section is specified, and if the suffix of a hostname in a `POST` request is equal to `[wildcard].domain`, then the request is authorized when and only when the repository URL in the event body matches the repository URL computed from the configuration file. Otherwise the next rule is used.
 
-- If a `PUT` or `POST` request is received at `<hostname>` with an `Authorization: Pages <token>` header (or, in absence of such, with an `?Authorization=Pages+<token>` query parameter), then the request is authorized when any of the the TXT records at `_git-pages-challenge.<hostname>` are equal to `SHA256("<hostname> <token>")`.
+- If a `PUT` or `POST` request is received at `<hostname>` with an `Authorization: Pages <token>` header (or, in absence of such, with an `Authorization: Basic <basic>` header, where `<basic>` is equal to `Base64("Pages <token>")`), then the request is authorized when any of the the TXT records at `_git-pages-challenge.<hostname>` are equal to `SHA256("<hostname> <token>")`.
 
 
 Architecture

src/auth.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/sha256"
+	"encoding/base64"
 	"fmt"
 	"net"
 	"net/http"
@@ -34,11 +35,34 @@ func Authorize(w http.ResponseWriter, r *http.Request) error {
 		return fmt.Errorf("malformed Authorization header")
 	}
 
-	if scheme != "Pages" {
+	if scheme != "Pages" && scheme != "Basic" {
 		http.Error(w, "unknown Authorization scheme", http.StatusBadRequest)
 		return fmt.Errorf("unknown Authorization scheme")
 	}
 
+	// services like GitHub and Gogs cannot send a custom Authorization: header, but supplying
+	// username and password in the URL is basically just as good
+	if scheme == "Basic" {
+		basicParam, err := base64.StdEncoding.DecodeString(param)
+		if err != nil {
+			http.Error(w, "malformed Authorization: Basic header", http.StatusBadRequest)
+			return fmt.Errorf("malformed Authorization: Basic header")
+		}
+
+		username, password, found := strings.Cut(string(basicParam), ":")
+		if !found {
+			http.Error(w, "malformed Authorization: Basic parameter", http.StatusBadRequest)
+			return fmt.Errorf("malformed Authorization: Basic parameter")
+		}
+
+		if username != "Pages" {
+			http.Error(w, "unexpected Authorization: Basic username", http.StatusUnauthorized)
+			return fmt.Errorf("unexpected Authorization: Basic username")
+		}
+
+		param = password
+	}
+
 	challengeHostname := fmt.Sprintf("_git-pages-challenge.%s", host)
 	actualChallenges, err := net.LookupTXT(challengeHostname)
 	if err != nil {

src/pages.go

@@ -196,13 +196,6 @@ func postPage(w http.ResponseWriter, r *http.Request) error {
 		}
 		allowRepoURL = fmt.Sprintf(config.Wildcard.CloneURL, userName, repoName)
 	} else {
-		// GitHub and Gogs cannot supply an `Authorization:` header.
-		if r.Header.Get("Authorization") == "" {
-			if value := r.URL.Query().Get("Authorization"); value != "" {
-				r.Header.Set("Authorization", value)
-			}
-		}
-
 		if err := Authorize(w, r); err != nil {
 			return err
 		}