feat: auth

[polarhive]

• [x] Setup basic passphrase based authentication when sending pastes over HTTPS
• [x] Consider using HTTP headers for passing the passphrase, X-Auth-Passphrase
• [x] Use environment variables, do not hard-encode the password within the Go binary
• [ ] Setup a rate-limit to prevent brute-force attacks like how fail2ban does. (~200 bounty points weight)

[ManishMDharani]

can i get assigned?

[polarhive]

!assign @ManishMDharani

[polarhive]

!deassign @ManishMDharani

[ManishMDharani]

can i please get this assigned?

[polarhive]

!assign @ManishMDharani

[polarhive]

!deassign

[polarhive]

@ManishMDharani do you want to take this?

[Delta18-Git]

I kinda did this. Can I make a PR‌ real quick?

[Delta18-Git]

problem I'm facing is that the rate limit isn't expiring...

[Delta18-Git]

I was mistaken it works

[Delta18-Git]

11 is the PR

[polarhive]

What I'm looking for is a mechanism that tracks failed $PASSPHRASE header attempts by IP. For instance, after each failed passphrase, the cooldown for that IP could be increased by 5 minutes.

    // Check for passphrase in headers
    if r.Header.Get("X-Auth-Passphrase") != passphrase {
        http.Error(w, "Unauthorized", http.StatusUnauthorized)
        return

While your rate-limiting effectively prevents spammy behavior and limits excessive requests from the same IP, it doesn’t currently provide protection against brute force password attacks since failed passphrase attempts aren’t tracked separately.

I can !extend your time if you'd like to work on it for the rest of the bounty points.

[Delta18-Git]

Hi sorry, I was on my way home and didn't see the update, Thanks for the advice, I'll work on this when I have more time next week for fun. Thanks!