From f9656e1d1de7ce715f99e9216d301bcd270a15e2 Mon Sep 17 00:00:00 2001
From: evilsocket <evilsocket@gmail.com>
Date: Wed, 29 Aug 2018 16:00:17 +0300
Subject: [PATCH] new: disabling api.rest authentication if username or
 password are empty

---
 modules/api_rest.go            |  4 ++--
 modules/api_rest_controller.go | 14 ++++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/modules/api_rest.go b/modules/api_rest.go
index 8b932f67..71845023 100644
--- a/modules/api_rest.go
+++ b/modules/api_rest.go
@@ -50,12 +50,12 @@ func NewRestAPI(s *session.Session) *RestAPI {
 
 	api.AddParam(session.NewStringParameter("api.rest.username",
 		"",
-		".+",
+		"",
 		"API authentication username."))
 
 	api.AddParam(session.NewStringParameter("api.rest.password",
 		"",
-		".+",
+		"",
 		"API authentication password."))
 
 	api.AddParam(session.NewStringParameter("api.rest.certificate",
diff --git a/modules/api_rest_controller.go b/modules/api_rest_controller.go
index 8d0dd511..7c99e18f 100644
--- a/modules/api_rest_controller.go
+++ b/modules/api_rest_controller.go
@@ -43,12 +43,14 @@ func toJSON(w http.ResponseWriter, o interface{}) {
 }
 
 func (api *RestAPI) checkAuth(r *http.Request) bool {
-	user, pass, _ := r.BasicAuth()
-	// timing attack my ass
-	if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
-		return false
-	} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
-		return false
+	if api.username != "" && api.password != "" {
+		user, pass, _ := r.BasicAuth()
+		// timing attack my ass
+		if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
+			return false
+		} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
+			return false
+		}
 	}
 	return true
 }