2 files changed, 20 insertions, 7 deletions

diff --git a/srv/src/api/api.go b/srv/src/api/api.go
index a5ada2d..7538662 100644
--- a/srv/src/api/api.go
+++ b/srv/src/api/api.go
@@ -54,6 +54,11 @@ type Params struct {
 	// reverse-proxied there.
 	StaticDir   string
 	StaticProxy *url.URL
+
+	// AuthUsers keys are usernames which are allowed to edit server-side data,
+	// and the values are the password hash which accompanies those users. The
+	// password hash must have been produced by NewPasswordHash.
+	AuthUsers map[string]string
 }
 
 // SetupCfg implement the cfg.Cfger interface.
@@ -176,6 +181,8 @@ func (a *api) handler() http.Handler {
 		return h
 	}
 
+	auther := NewAuther(a.params.AuthUsers)
+
 	mux := http.NewServeMux()
 
 	mux.Handle("/", staticHandler)
@@ -208,9 +215,13 @@ func (a *api) handler() http.Handler {
 		v2Mux.Handle("/posts/", a.renderPostHandler())
 		v2Mux.Handle("/assets/", http.StripPrefix("/assets",
 			apiutil.MethodMux(map[string]http.Handler{
-				"GET":    a.getPostAssetHandler(),
-				"POST":   formMiddleware(a.postPostAssetHandler()),
-				"DELETE": formMiddleware(a.deletePostAssetHandler()),
+				"GET": a.getPostAssetHandler(),
+				"POST": authMiddleware(auther,
+					formMiddleware(a.postPostAssetHandler()),
+				),
+				"DELETE": authMiddleware(auther,
+					formMiddleware(a.deletePostAssetHandler()),
+				),
 			}),
 		))
 		v2Mux.Handle("/", a.renderIndexHandler())
diff --git a/srv/src/api/auth.go b/srv/src/api/auth.go
index e668d7b..0d946a3 100644
--- a/srv/src/api/auth.go
+++ b/srv/src/api/auth.go
@@ -3,13 +3,14 @@ package api
 import (
 	"net/http"
 
+	"github.com/mediocregopher/blog.mediocregopher.com/srv/api/apiutil"
 	"golang.org/x/crypto/bcrypt"
 )
 
 // NewPasswordHash returns the hash of the given plaintext password, for use
 // with Auther.
 func NewPasswordHash(plaintext string) string {
-	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 12)
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 13)
 	if err != nil {
 		panic(err)
 	}
@@ -48,9 +49,10 @@ func (a *auther) Allowed(username, password string) bool {
 
 func authMiddleware(auther Auther, h http.Handler) http.Handler {
 
-	respondUnauthorized := func(rw http.ResponseWriter) {
+	respondUnauthorized := func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`)
 		rw.WriteHeader(http.StatusUnauthorized)
+		apiutil.GetRequestLogger(r).WarnString(r.Context(), "unauthorized")
 	}
 
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
@@ -58,12 +60,12 @@ func authMiddleware(auther Auther, h http.Handler) http.Handler {
 		username, password, ok := r.BasicAuth()
 
 		if !ok {
-			respondUnauthorized(rw)
+			respondUnauthorized(rw, r)
 			return
 		}
 
 		if !auther.Allowed(username, password) {
-			respondUnauthorized(rw)
+			respondUnauthorized(rw, r)
 			return
 		}