Allow logging in with only username

app/api/repp/api.rb

@@ -3,8 +3,18 @@ module Repp
     format :json
     prefix :repp
 
-    http_basic do |username, password|
+    before do
-      @current_user ||= ApiUser.find_by(username: username, password: password)
+      auth_param = request.headers['Authorization'].split(' ', 2).second
+      username, password = ::Base64.decode64(auth_param || '').split(':', 2)
+
+      # allow user lookup only by username if request came from webclient
+      if request.ip == APP_CONFIG['webclient_ip'] && password.blank?
+        login_params = { username: username }
+      else
+        login_params = { username: username, password: password }
+      end
+
+      @current_user ||= ApiUser.find_by(login_params)
     end
 
     helpers do

app/controllers/epp/sessions_controller.rb

@@ -4,8 +4,8 @@ class Epp::SessionsController < EppController
   end
 
   def login
-    # pki login
+    # Allow login with only username
-    if request.env['HTTP_SSL_CLIENT_S_DN_CN'] == login_params[:username]
+    if request.ip == APP_CONFIG['webclient_ip'] && login_params[:password].nil?
       @api_user = ApiUser.find_by(username: login_params[:username])
     else
       @api_user = ApiUser.find_by(login_params)

config/routes.rb

@@ -3,6 +3,7 @@ require 'epp_constraint'
 Rails.application.routes.draw do
   namespace(:epp, defaults: { format: :xml }) do
     match 'session/:action', controller: 'sessions', via: :all
+    match 'session/pki/:action', controller: 'sessions', via: :all
 
     post 'command/:action', controller: 'domains', constraints: EppConstraint.new(:domain)
     post 'command/:action', controller: 'contacts', constraints: EppConstraint.new(:contact)