Add Private Hosting Authentication Support

[stescobedo92]

This PR adds support for private hosting of the Docker Image Save service, allowing the server to be protected by authentication (Basic Auth and/or API keys). This enables users to run their own instance securely, restricting access to image downloads.

---

Features

• Authentication Middleware: Protects /image endpoint with Basic Auth and/or API keys.
• Configurable via YAML: Enable/disable auth, set username/password, and define multiple API keys in the config file.
• Backwards Compatible: If auth is not configured, the service remains public.
• Comprehensive Unit Tests: 80+ tests for config, auth, and server integration.

---

Configuration Example

port: 8080

auth:
  enabled: true
  username: <YOUR_USERNAME>
  password: <YOUR_PASSWORD>
  api_keys:
    - <API_KEY_1>
    - <API_KEY_2>

• enabled: Set to true to require authentication.
• username/password: Credentials for HTTP Basic Auth.
• api_keys: List of valid API keys for programmatic access (via header or query param).

---

How It Works

• /image endpoint is protected when auth.enabled: true.
• Accepts:
  • HTTP Basic Auth (Authorization: Basic ...)
  • API key in header (X-API-Key: ...)
  • API key in query param (?api_key=...)
• All other endpoints (/health, /metrics, /logo.png, /) remain public.

---

How to Test

1. Start the server with auth enabled

go build -o dockerimagesave.exe .
./dockerimagesave.exe -config config.test.yaml

2. Test without authentication (should fail)

curl -i "http://localhost:8080/image?name=alpine"
# Should return HTTP/1.1 401 Unauthorized

3. Test with Basic Auth

curl -i -u <YOUR_USERNAME>:<YOUR_PASSWORD> "http://localhost:8080/image?name=alpine"
# Should return HTTP/1.1 200 OK and download the image

4. Test with API Key (header)

curl -i -H "X-API-Key: <API_KEY_1>" "http://localhost:8080/image?name=alpine"
# Should return HTTP/1.1 200 OK

5. Test with API Key (query param)

curl -i "http://localhost:8080/image?name=alpine&api_key=<API_KEY_1>"
# Should return HTTP/1.1 200 OK

6. Health endpoint remains public

curl -i "http://localhost:8080/health"
# Should return HTTP/1.1 200 OK

---

Code Changes

config.go

• Added AuthConfig struct and auth field to Config.
• Validation for required credentials when auth is enabled.

auth.go (new)

• Implements authentication middleware for Basic Auth and API keys.
• Secure constant-time comparison for credentials.

server.go

• Integrates AuthMiddleware.
• Protects /image endpoint when auth is enabled.

main.go

• Loads and passes auth config to the server.
• Logs auth config on startup for debug.

config.example.yaml

• Added commented example for auth section.

---

Checklist

• Auth config in YAML
• Middleware for Basic Auth and API keys
• Unit and integration tests
• Backwards compatible
• Documented usage and testing

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
-	-	Username Password	eaf2a39	auth_test.go	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[Copilot]

Pull request overview

This PR adds comprehensive private hosting authentication support to the Docker Image Save service, along with multi-platform image support. The changes enable secure private deployments with Basic Auth and API key authentication, while adding the ability to download platform-specific images (e.g., linux/amd64, linux/arm64).

Key changes:

• Authentication middleware with support for Basic Auth and API keys (header and query parameter)
• Platform parameter support for multi-architecture image downloads
• Enhanced security with path traversal prevention and constant-time credential comparison

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
auth.go	New authentication middleware implementing Basic Auth and API key validation with constant-time comparison
auth_test.go	Comprehensive test coverage for authentication scenarios (457 lines)
config.go	Added AuthConfig structure with validation for authentication credentials
config_test.go	Tests for authentication configuration loading and validation
main.go	Integrated authentication configuration loading with fallback to config.yaml if it exists
server.go	Protected /image endpoint with auth middleware, added platform parameter support, path traversal prevention, and platform validation
server_test.go	Added 470+ lines of tests for platform support, authentication integration, and path sanitization
image.go	Modified to accept platform parameter and generate platform-specific filenames
image_test.go	Tests for platform-aware image downloads and filename generation
registry.go	Added Platform struct and parsing, improved manifest selection to return errors for unsupported platforms instead of silent fallback
registry_test.go	Tests for platform parsing and string representation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.