From 549841cfac4250b523cda8cd6c8292360752e9b8 Mon Sep 17 00:00:00 2001
From: ek0ms savi0r <ek0mssavi0r@noreply.git.churchofmalware.org>
Date: Tue, 2 Jun 2026 06:01:18 +0000
Subject: [PATCH] Upload files to "c2s_ipfs_payloads/pkg"

---
 c2s_ipfs_payloads/pkg/auth.go | 65 +++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 c2s_ipfs_payloads/pkg/auth.go

diff --git a/c2s_ipfs_payloads/pkg/auth.go b/c2s_ipfs_payloads/pkg/auth.go
new file mode 100644
index 0000000..7a6d4e8
--- /dev/null
+++ b/c2s_ipfs_payloads/pkg/auth.go
@@ -0,0 +1,65 @@
+// Package auth provides simple HTTP basic authentication middleware for the CID hub.
+package auth
+
+import (
+	"crypto/subtle"
+	"net/http"
+)
+
+// BasicAuth wraps an HTTP handler with basic auth protection.
+func BasicAuth(username, password string, next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if username == "" {
+			// No auth configured
+			next(w, r)
+			return
+		}
+
+		user, pass, ok := r.BasicAuth()
+		if !ok {
+			w.Header().Set("WWW-Authenticate", `Basic realm="CID Hub"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		userMatch := subtle.ConstantTimeCompare([]byte(user), []byte(username)) == 1
+		passMatch := subtle.ConstantTimeCompare([]byte(pass), []byte(password)) == 1
+
+		if !userMatch || !passMatch {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
+		next(w, r)
+	}
+}
+
+// JWTAuth wraps an HTTP handler with JWT bearer token auth.
+// This is a simple token comparison for HMAC-style tokens.
+func JWTAuth(token string, next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if token == "" {
+			next(w, r)
+			return
+		}
+
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			http.Error(w, "Missing Authorization header", http.StatusUnauthorized)
+			return
+		}
+
+		// Support both "Bearer <token>" and "<token>" directly
+		provided := authHeader
+		if len(authHeader) > 7 && authHeader[:7] == "Bearer " {
+			provided = authHeader[7:]
+		}
+
+		if subtle.ConstantTimeCompare([]byte(provided), []byte(token)) != 1 {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
+		next(w, r)
+	}
+}