ServerSideHannes · ServerSideHannes · Apr 22, 2026
diff --git a/pyproject.toml b/pyproject.toml
@@ -70,6 +70,10 @@ target-version = "py314"
 [tool.ruff.lint]
 select = ["E", "F", "I", "N", "W", "UP", "B", "C4", "SIM"]
 
+[tool.ruff.lint.per-file-ignores]
+# Inline HTML/CSS/JS template has unavoidably long lines
+"s3proxy/admin/templates.py" = ["E501"]
+
 [tool.pytest.ini_options]
 asyncio_mode = "auto"
 testpaths = ["tests"]

diff --git a/s3proxy/admin/__init__.py b/s3proxy/admin/__init__.py
@@ -0,0 +1,6 @@
+"""Admin dashboard for S3Proxy."""
+
+from .collectors import record_request
+from .router import create_admin_router
+
+__all__ = ["create_admin_router", "record_request"]
diff --git a/s3proxy/admin/auth.py b/s3proxy/admin/auth.py
@@ -0,0 +1,44 @@
+"""HTTP Basic Auth for admin dashboard."""
+
+from __future__ import annotations
+
+import secrets
+from typing import TYPE_CHECKING
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+
+if TYPE_CHECKING:
+    from ..config import Settings
+
+security = HTTPBasic(realm="S3Proxy Admin")
+_security_dep = Depends(security)
+
+
+def create_auth_dependency(settings: Settings, credentials_store: dict[str, str]):
+    """Build a Basic Auth dependency using configured or AWS-derived credentials."""
+    if settings.admin_username and settings.admin_password:
+        valid_username = settings.admin_username
+        valid_password = settings.admin_password
+    elif credentials_store:
+        valid_username = next(iter(credentials_store.keys()))
+        valid_password = credentials_store[valid_username]
+    else:
+        raise RuntimeError("No credentials configured for admin auth")
+
+    async def verify(credentials: HTTPBasicCredentials = _security_dep):
+        ok_user = secrets.compare_digest(
+            credentials.username.encode(), valid_username.encode()
+        )
+        ok_pass = secrets.compare_digest(
+            credentials.password.encode(), valid_password.encode()
+        )
+        if not (ok_user and ok_pass):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid credentials",
+                headers={"WWW-Authenticate": 'Basic realm="S3Proxy Admin"'},
+            )
+        return credentials
+
+    return verify