proxyAuth addon
-
@girish this looks lovely !
Suggestions:
- you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
- for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
@mehdi said in proxyAuth addon:
allow the request if there are BasicAuth credentials
Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1
-
So the idea is to put some kind of "framework" into the base image, which can be used by apps? Wouldn't that anyways still not mean that an app needs to be patched for at least the logout action? Also would we do this as a php set of features? I do like to not pull this into the platform code as such, as that does not increase dependency on that.
Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.
@nebulon said in What's coming in 6.0 (take 2):
Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.
As I understand it, these are personal media apps, right? Is there therefore a need to logout?
What would happen if a user was able to login, but not log-out? They could close the browser window?
-
@nebulon said in What's coming in 6.0 (take 2):
Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.
As I understand it, these are personal media apps, right? Is there therefore a need to logout?
What would happen if a user was able to login, but not log-out? They could close the browser window?
-
@ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.
-
@girish Gotcha.
OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?
-
@girish Gotcha.
OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?
-
This post is deleted!
-
Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.
Recently, there is a bunch of apps that require an auth wall including:
- Prometheus server/alert manager
- Cloud torrent
- Transmission
- Apps like surfer
- Many of our internal apps
I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:
"addons": { "proxyAuth": {} }Just like the
ldapaddon, user can then select which users/groups can authenticate. If the manifest also hasoptionalSso, then user can choose to let the app have no auth wall altogether.When using this feature, two routes are "reserved" -
/loginand/logout. Some benefits of having this on the platform side (as opposed in the app are):- 2FA login
- Session management in the user's profile page. i.e can logout from apps etc
- Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...
I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!
@girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.
What I invision is basically the following use cases:
- an empty list of routes -> all routes are protected
- a list of routes is provided -> only the specified routes are protected
I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.
Example:
proxyAuth: { routes: [ 'admin', 'profile' ], }EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.
-
@girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.
What I invision is basically the following use cases:
- an empty list of routes -> all routes are protected
- a list of routes is provided -> only the specified routes are protected
I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.
Example:
proxyAuth: { routes: [ 'admin', 'profile' ], }EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.
@atrilahiji said in proxyAuth addon:
How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app
Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.
Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?
I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.
-
@atrilahiji said in proxyAuth addon:
How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app
Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.
Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?
I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.
-
@girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!
-
@girish is there a way to get the username/email from within the app?
-
@saikarthik currently not, I guess the only option would be to add the username/email as a header in the requests?
@nebulon That would seem a sensible approach. Similar to other gateway authentication solutions I've seen. Definitely would need to restrict trust of those headers either in app or sever configuration though to prevent escalation/impersonation/ato attacks
-
@nebulon That would seem a sensible approach. Similar to other gateway authentication solutions I've seen. Definitely would need to restrict trust of those headers either in app or sever configuration though to prevent escalation/impersonation/ato attacks
-
@jimcavoli is there any risk or impersonation angle, if the reverse proxy always explicitly overwrites that header?
-
-
Related: while re-working the n8n packaging, I happened upon what would probably be reasonably common, where there are selected sub-paths of
/which should not be authenticated - example being we want/to require auth, but not/webhook/*paths. It's at least non-obvious if not unsupported by the current docs on how to do this withproxyAuth
