auth: HTTP Basic Auth (UI_USERNAME + UI_PASSWORD)

middleware.ts

@@ -1,28 +1,26 @@
 /**
- * HTTP Basic Auth gate in front of the entire UI.
+ * HTTP Basic Auth gate for the entire UI.
  *
- * Why: the underlying HF Space is going Public so non-org users can reach the
- * URL, but BSS docs and the inference API still need a single shared
- * credential. The password is read from the server-only env var
- * `UI_PASSWORD` (set as an HF Space secret) — never inlined into the bundle.
+ * Username is read from `UI_USERNAME` (defaults to "etiya") and password from
+ * `UI_PASSWORD`. Both are server-only env vars set as HF Space secrets — they
+ * are never inlined into the client bundle.
  *
- * The browser handles the credential prompt natively — no login page UI to
- * design. Users authenticate once per session; refreshes carry the cached
- * credentials transparently.
+ * The browser's native credentials prompt handles the UX. After the user
+ * authenticates once, the browser caches the credentials per-origin and
+ * sends them automatically on every subsequent request to this realm.
  */
 import { NextRequest, NextResponse } from "next/server";
 
 export const config = {
-  // Run on every route except Next's internals and static assets.
-  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
+  matcher: ["/((?!_next/static|_next/image|_next/data|favicon.ico).*)"],
 };
 
 const REALM = 'Basic realm="Etiya BSS Atelier", charset="UTF-8"';
 
 export function middleware(req: NextRequest) {
   const password = process.env.UI_PASSWORD;
-  // No password configured → fail open. Lets local dev work without setup,
-  // and prevents an unconfigured deploy from looking broken.
+  const username = process.env.UI_USERNAME || "etiya";
+  // Fail-open if no password configured — useful for local dev with no setup.
   if (!password) return NextResponse.next();
 
   const auth = req.headers.get("authorization");
@@ -30,16 +28,23 @@ export function middleware(req: NextRequest) {
     return unauthorised();
   }
 
+  let user = "";
   let pass = "";
   try {
     const decoded = atob(auth.slice("Basic ".length));
     const colon = decoded.indexOf(":");
-    pass = colon >= 0 ? decoded.slice(colon + 1) : decoded;
+    if (colon >= 0) {
+      user = decoded.slice(0, colon);
+      pass = decoded.slice(colon + 1);
+    }
   } catch {
     return unauthorised();
   }
 
-  if (!constantTimeEqual(pass, password)) {
+  if (
+    !constantTimeEqual(user, username) ||
+    !constantTimeEqual(pass, password)
+  ) {
     return unauthorised();
   }
   return NextResponse.next();
@@ -51,14 +56,12 @@ function unauthorised() {
     headers: {
       "WWW-Authenticate": REALM,
       "Content-Type": "text/plain; charset=utf-8",
+      // Discourage caching the 401 response so re-prompts behave predictably.
+      "Cache-Control": "no-store",
     },
   });
 }
 
-/**
- * Constant-time string comparison — avoids timing leaks even though we're
- * gating a single shared secret. Cheap insurance.
- */
 function constantTimeEqual(a: string, b: string): boolean {
   if (a.length !== b.length) return false;
   let diff = 0;