Add optional FAKTORY_WEBUI_PASSWORD with argon2id, bcrypt, scrypt, and PBKDF2 support

cli/cli.go

@@ -27,6 +27,13 @@ type CliOptions struct {
 	StorageDirectory string
 }
 
+type passwordType string
+
+const (
+	passwordTypeWebUI  passwordType = "webui"
+	passwordTypeServer passwordType = "server"
+)
+
 func ParseArguments() CliOptions {
 
 	fenv := os.Getenv("FAKTORY_ENV")
@@ -146,10 +153,14 @@ func BuildServer(opts *CliOptions) (*server.Server, func() error, error) {
 		return nil, nil, err
 	}
 
-	pwd, err := fetchPassword(globalConfig, opts.Environment)
+	pwd, err := fetchPassword(globalConfig, opts.Environment, passwordTypeServer)
 	if err != nil {
 		return nil, nil, err
 	}
+	webPwd, err := fetchPassword(globalConfig, opts.Environment, passwordTypeWebUI)
+	if err != nil {
+		util.Warnf("unable to fetch Web UI password, defaulting to server's: %v", err)
+	}
 
 	sock := fmt.Sprintf("%s/redis.sock", opts.StorageDirectory)
 	stopper, err := storage.Boot(opts.StorageDirectory, sock)
@@ -172,6 +183,7 @@ func BuildServer(opts *CliOptions) (*server.Server, func() error, error) {
 		RedisSock:        sock,
 		GlobalConfig:     globalConfig,
 		Password:         pwd,
+		WebUIPassword:    webPwd,
 		PoolSize:         server.DefaultMaxPoolSize,
 	}
 
@@ -247,33 +259,54 @@ func readConfig(cdir string, env string) (map[string]any, error) {
 // [faktory]
 // password = "foobar" # or...
 // password = "/run/secrets/my_faktory_password"
-func fetchPassword(cfg map[string]any, env string) (string, error) {
+//
+// [web]
+// password = "foobar" # or...
+// password = "/run/secrets/my_faktory_password"
+func fetchPassword(cfg map[string]any, env string, pwdtype passwordType) (string, error) {
 	password := ""
 
+	var envKey string
+	var pwdPath string
+	cfgPath := struct {
+		Subsys string
+		Elm    string
+	}{}
+	if pwdtype == passwordTypeServer {
+		envKey = "FAKTORY_PASSWORD"
+		pwdPath = "/etc/faktory/password"
+		cfgPath.Subsys = "faktory"
+		cfgPath.Elm = "password"
+	} else {
+		envKey = "FAKTORY_WEBUI_PASSWORD"
+		pwdPath = "/etc/faktory/webui_password"
+		cfgPath.Subsys = "web"
+		cfgPath.Elm = "password"
+	}
+
 	// allow the password to be injected via ENV rather than committed
 	// to filesystem.  Note if this value starts with a /, then it is
 	// considered a pointer to a file on the filesystem with the password
 	// value, e.g. FAKTORY_PASSWORD=/run/secrets/my_faktory_password.
-	val, ok := os.LookupEnv("FAKTORY_PASSWORD")
+	val, ok := os.LookupEnv(envKey)
 	if ok {
 		password = val
 	} else {
 
-		val := stringConfig(cfg, "faktory", "password", "")
+		val := stringConfig(cfg, cfgPath.Subsys, cfgPath.Elm, "")
 		if val != "" {
 			password = val
 
 			// clear password so we can log it safely
-			x := cfg["faktory"].(map[string]any)
-			x["password"] = "********"
+			x := cfg[cfgPath.Subsys].(map[string]any)
+			x[cfgPath.Elm] = "********"
 		}
 	}
 
 	if env != "development" && !skip() && password == "" {
-		ok, _ := util.FileExists("/etc/faktory/password")
+		ok, _ := util.FileExists(pwdPath)
 		if ok {
-			//nolint:gosec
-			password = "/etc/faktory/password"
+			password = pwdPath
 		}
 	}
 
@@ -288,7 +321,7 @@ func fetchPassword(cfg map[string]any, env string) (string, error) {
 		password = strings.TrimSpace(string(data))
 	}
 
-	if env != "development" && !skip() && password == "" {
+	if env != "development" && !skip() && password == "" && pwdtype == passwordTypeServer {
 		return "", fmt.Errorf("faktory requires a password to be set in staging or production, see the Security wiki page")
 	}
 

cli/security_test.go

@@ -14,6 +14,13 @@ func pwdCfg(value string) map[string]any {
 		},
 	}
 }
+func webPwdCfg(value string) map[string]any {
+	return map[string]any{
+		"web": map[string]any{
+			"password": value,
+		},
+	}
+}
 
 func TestPasswords(t *testing.T) {
 	emptyCfg := map[string]any{}
@@ -22,21 +29,30 @@ func TestPasswords(t *testing.T) {
 
 	t.Run("DevWithPassword", func(t *testing.T) {
 		cfg := pwdCfg(pwd)
-		pwd, err := fetchPassword(cfg, "development")
+		pwd, err := fetchPassword(cfg, "development", passwordTypeServer)
 		assert.NoError(t, err)
 		assert.Equal(t, 16, len(pwd))
 		assert.Equal(t, "cce29d6565ab7376", pwd)
 		assert.Equal(t, "********", cfg["faktory"].(map[string]any)["password"])
 	})
 
+	t.Run("DevWithWebPassword", func(t *testing.T) {
+		cfg := webPwdCfg(pwd)
+		pwd, err := fetchPassword(cfg, "development", passwordTypeWebUI)
+		assert.NoError(t, err)
+		assert.Equal(t, 16, len(pwd))
+		assert.Equal(t, "cce29d6565ab7376", pwd)
+		assert.Equal(t, "********", cfg["web"].(map[string]any)["password"])
+	})
+
 	t.Run("DevWithoutPassword", func(t *testing.T) {
-		pwd, err := fetchPassword(emptyCfg, "development")
+		pwd, err := fetchPassword(emptyCfg, "development", passwordTypeServer)
 		assert.NoError(t, err)
 		assert.Equal(t, "", pwd)
 	})
 
 	t.Run("ProductionWithoutPassword", func(t *testing.T) {
-		pwd, err := fetchPassword(emptyCfg, "production")
+		pwd, err := fetchPassword(emptyCfg, "production", passwordTypeServer)
 		assert.Error(t, err)
 		assert.Equal(t, "", pwd)
 	})
@@ -46,14 +62,14 @@ func TestPasswords(t *testing.T) {
 		err := os.WriteFile("/tmp/test-password", []byte("foobar"), os.FileMode(0o666))
 		assert.NoError(t, err)
 		cfg := pwdCfg("/tmp/test-password")
-		pwd, err := fetchPassword(cfg, "production")
+		pwd, err := fetchPassword(cfg, "production", passwordTypeServer)
 		assert.NoError(t, err)
 		assert.Equal(t, "foobar", pwd)
 	})
 
 	t.Run("ProductionWithPassword", func(t *testing.T) {
 		cfg := pwdCfg(pwd)
-		pwd, err := fetchPassword(cfg, "production")
+		pwd, err := fetchPassword(cfg, "production", passwordTypeServer)
 		assert.NoError(t, err)
 		assert.Equal(t, 16, len(pwd))
 		assert.Equal(t, "cce29d6565ab7376", pwd)
@@ -63,20 +79,31 @@ func TestPasswords(t *testing.T) {
 	t.Run("ProductionEnvPassword", func(t *testing.T) {
 		os.Setenv("FAKTORY_PASSWORD", "abc123")
 
-		pwd, err := fetchPassword(emptyCfg, "production")
+		pwd, err := fetchPassword(emptyCfg, "production", passwordTypeServer)
 		assert.NoError(t, err)
 		assert.Equal(t, "abc123", pwd)
 	})
 
 	os.Unsetenv("FAKTORY_PASSWORD")
 
+	t.Run("ProductionEnvPassword", func(t *testing.T) {
+		os.Setenv("FAKTORY_WEBUI_PASSWORD", "webuipass")
+
+		pwd, err := fetchPassword(emptyCfg, "production", passwordTypeWebUI)
+		assert.NoError(t, err)
+		assert.Equal(t, "webuipass", pwd)
+	})
+
+	os.Unsetenv("FAKTORY_WEBUI_PASSWORD")
+
 	t.Run("ProductionSkipPassword", func(t *testing.T) {
 		os.Setenv("FAKTORY_SKIP_PASSWORD", "yes")
 
-		pwd, err := fetchPassword(emptyCfg, "production")
+		pwd, err := fetchPassword(emptyCfg, "production", passwordTypeServer)
 		assert.NoError(t, err)
 		assert.Equal(t, "", pwd)
 	})
 
 	os.Unsetenv("FAKTORY_SKIP_PASSWORD")
+
 }

example/config.toml

@@ -1,3 +1,15 @@
+[faktory]
+# Required for production. Can use `FAKTORY_PASSWORD` env var instead
+password = "a-password-for-clients-to-connect-with"
+
+[web]
+# Optional. Specify to make the Web UI's HTTP Basic auth password different
+# from the Faktory server password clients connect with. Supports PHC-formatted
+# argon2id, bcrypt, scrypt, and pbkdf2 hashes and not just plaintext.
+# e.g. "$2b$12$xbQjW9Gtc35jLaAnGp7iV.PMoDuu0SdfWUrv30B6NT1vTrGc4LTPW"
+# Can use `FAKTORY_WEBUI_PASSWORD` env var instead.
+password = "an-optionally-different-http-basic-webui-password-from-faktory-server"
+
 [queues]
 # disable backpressure by default
 backpressure = 0

go.mod

@@ -4,16 +4,17 @@ go 1.24
 
 require (
 	github.com/BurntSushi/toml v1.5.0
-	github.com/contribsys/faktory_worker_go v1.7.0
 	github.com/justinas/nosurf v1.2.0
 	github.com/redis/go-redis/v9 v9.7.3
+	golang.org/x/crypto v0.39.0
 )
 
 require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 )
 
 require (

go.sum

@@ -6,14 +6,10 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/contribsys/faktory_worker_go v1.7.0 h1:YSZRj/nSjn+2ms9ooHIOHAahHJehXutgD46b+0lHDP4=
-github.com/contribsys/faktory_worker_go v1.7.0/go.mod h1:JRw4PvanwLgX5IIQazw6W5zg/Rg7/Fg6YrkdH4gJJPc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/justinas/nosurf v1.1.1 h1:92Aw44hjSK4MxJeMSyDa7jwuI9GR2J/JCQiaKvXXSlk=
-github.com/justinas/nosurf v1.1.1/go.mod h1:ALpWdSbuNGy2lZWtyXdjkYv4edL23oSEgfBT1gPJ5BQ=
 github.com/justinas/nosurf v1.2.0 h1:yMs1bSRrNiwXk4AS6n8vL2Ssgpb9CB25T/4xrixaK0s=
 github.com/justinas/nosurf v1.2.0/go.mod h1:ALpWdSbuNGy2lZWtyXdjkYv4edL23oSEgfBT1gPJ5BQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -22,6 +18,10 @@ github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=