Merge branch '4.13' of https://github.com/craftcms/cms into 5.5

# Conflicts:
#	CHANGELOG-WIP.md

CHANGELOG-WIP.md

@@ -16,7 +16,11 @@
 
 ### Extensibility
 - Added `craft\base\RequestTrait::getIsWebRequest()`. ([#15690](https://github.com/craftcms/cms/pull/15690))
+- Added `craft\filters\BasicHttpAuthLogin`. ([#15720](https://github.com/craftcms/cms/pull/15720))
+- Added `craft\filters\BasicHttpAuthStatic`. ([#15720](https://github.com/craftcms/cms/pull/15720))
+- Added `craft\filters\SiteFilterTrait::$enabled`. ([#15720](https://github.com/craftcms/cms/pull/15720))
 - Added `craft\helpers\StringHelper::firstLine()`.
+- Deprecated the `enableBasicHttpAuth` config setting. `craft\filters\BasicHttpAuthLogin` should be used instead. ([#15720](https://github.com/craftcms/cms/pull/15720))
 
 ### System
 - Fixed a bug where the Recovery Codes slideout content overflowed its container on small screens. ([#15665](https://github.com/craftcms/cms/pull/15665))

src/config/GeneralConfig.php

@@ -1072,6 +1072,7 @@ class GeneralConfig extends BaseConfig
      *
      * @group Security
      * @since 3.5.0
+     * @deprecated in 4.13.0. [[\craft\filters\BasicHttpAuthLogin]] should be used instead.
      */
     public bool $enableBasicHttpAuth = false;
 

src/filters/BasicHttpAuthLogin.php

@@ -0,0 +1,57 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace craft\filters;
+
+use Craft;
+use craft\elements\User;
+use yii\filters\auth\HttpBasicAuth;
+use yii\web\IdentityInterface;
+
+/**
+ * Filter for adding basic HTTP authentication user credentials to site requests.
+ *
+ * @see https://www.yiiframework.com/doc/api/2.0/yii-filters-auth-httpbasicauth
+ * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
+ * @since 5.5.0
+ */
+class BasicHttpAuthLogin extends HttpBasicAuth
+{
+    use SiteFilterTrait, BasicHttpAuthTrait;
+
+    /**
+     * @inheritdoc
+     */
+    public $realm;
+
+    /**
+     * @inheritdoc
+     */
+    public function __construct($config = [])
+    {
+        parent::__construct($config + [
+            'auth' => [$this, 'auth'],
+            'realm' => Craft::$app->getSystemName(),
+        ]);
+    }
+
+    protected function auth($username, $password): ?IdentityInterface
+    {
+        if (!$username || !$password) {
+            return null;
+        }
+
+        $user = User::find()->username($username)->one();
+        $identity = $user?->findIdentity($user->id);
+
+        if ($identity && Craft::$app->getSecurity()->validatePassword($password, $identity->password)) {
+            return $identity;
+        }
+
+        return null;
+    }
+}

src/filters/BasicHttpAuthStatic.php

@@ -0,0 +1,73 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace craft\filters;
+
+use Craft;
+use craft\helpers\App;
+use yii\base\InvalidConfigException;
+use yii\filters\auth\HttpBasicAuth;
+
+/**
+ * Filter for adding basic HTTP authentication with static credentials to site requests.
+ *
+ * @see https://www.yiiframework.com/doc/api/2.0/yii-filters-auth-httpbasicauth
+ * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
+ * @since 5.5.0
+ */
+class BasicHttpAuthStatic extends HttpBasicAuth
+{
+    use SiteFilterTrait, BasicHttpAuthTrait;
+
+    public ?string $username = null;
+    public ?string $password = null;
+
+    /**
+     * @inheritdoc
+     */
+    public $realm;
+
+    /**
+     * @inheritDoc
+     */
+    public function __construct($config = [])
+    {
+        parent::__construct($config + [
+            'username' => App::env('CRAFT_HTTP_BASIC_AUTH_USERNAME'),
+            'password' => App::env('CRAFT_HTTP_BASIC_AUTH_PASSWORD'),
+            'realm' => Craft::$app->getSystemName(),
+        ]);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function beforeAction($action): bool
+    {
+        if (!$this->username || !$this->password) {
+            throw new InvalidConfigException('Basic authentication is not configured.');
+        }
+
+        $currentUser = Craft::$app->getUser()->getIdentity();
+
+        if ($currentUser) {
+            return true;
+        }
+
+        list($username, $password) = Craft::$app->getRequest()->getAuthCredentials();
+
+        if ($username === $this->username && $password === $this->password) {
+            return true;
+        }
+
+        $response = Craft::$app->getResponse();
+        $this->challenge($response);
+        $this->handleFailure($response);
+
+        return false;
+    }
+}

src/filters/BasicHttpAuthTrait.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace craft\filters;
+
+use Craft;
+use yii\web\UnauthorizedHttpException;
+
+/**
+ * Trait BasicHttpAuthTrait
+ *
+ * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
+ * @since 5.5.0
+ */
+trait BasicHttpAuthTrait
+{
+    /**
+     * Detach behavior and manually handle exception so error handling
+     * isn't called recursively when already handling an exception (e.g. 404s)
+     */
+    public function handleFailure($response): void
+    {
+        $this->detach();
+
+        Craft::$app->getErrorHandler()->handleException(
+            new UnauthorizedHttpException('Your request was made with invalid credentials.'),
+        );
+    }
+}

src/filters/SiteFilterTrait.php

@@ -21,6 +21,12 @@
  */
 trait SiteFilterTrait
 {
+    /**
+     * @var bool Whether the filter should be enabled.
+     * @since 5.5.0
+     */
+    public bool $enabled = true;
+
     private null|array $siteIds = null;
 
     protected function isActive(mixed $action): bool
@@ -29,7 +35,7 @@ protected function isActive(mixed $action): bool
             return false;
         }
 
-        return $this->isCurrentSiteActive();
+        return $this->enabled && $this->isCurrentSiteActive();
     }
 
     protected function setSite(null|array|int|string|Site $value): void