Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. App Packaging & Development
  3. proxyAuth addon

proxyAuth addon

Scheduled Pinned Locked Moved App Packaging & Development
54 Posts 15 Posters 10.0k Views 15 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by girish
      #1

      Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.

      Recently, there is a bunch of apps that require an auth wall including:

      • Prometheus server/alert manager
      • Cloud torrent
      • Transmission
      • Apps like surfer
      • Many of our internal apps

      I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:

      "addons": {
          "proxyAuth": {}
      }
      

      Just like the ldap addon, user can then select which users/groups can authenticate. If the manifest also has optionalSso, then user can choose to let the app have no auth wall altogether.

      When using this feature, two routes are "reserved" - /login and /logout. Some benefits of having this on the platform side (as opposed in the app are):

      • 2FA login
      • Session management in the user's profile page. i.e can logout from apps etc
      • Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...

      I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!

      ? njN 2 Replies Last reply
      13
      • LonkleL Offline
        LonkleL Offline
        Lonkle
        wrote on last edited by
        #2

        I thought this would be a year away at least. This is amazing work. Thanks @girish and @mehdi!

        1 Reply Last reply
        0
        • girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #3

          I took a screen cap

          1 Reply Last reply
          5
          • girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by girish
            #4

            I was berated by @nebulon for not using our peertube instance 🙂 So, here you go:

            https://videos.cloudron.io/videos/watch/7774aa02-2256-4f76-b626-9ed78d96f535

            fbartelsF 1 Reply Last reply
            7
            • girishG girish

              I was berated by @nebulon for not using our peertube instance 🙂 So, here you go:

              https://videos.cloudron.io/videos/watch/7774aa02-2256-4f76-b626-9ed78d96f535

              fbartelsF Offline
              fbartelsF Offline
              fbartels
              App Dev
              wrote on last edited by
              #5

              @girish do I get it right, that this is basically done without any modification of the app itself? Just turn on the add on and it will be used automatically?

              girishG 1 Reply Last reply
              0
              • fbartelsF fbartels

                @girish do I get it right, that this is basically done without any modification of the app itself? Just turn on the add on and it will be used automatically?

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                @fbartels Correct. Just the one line added proxyAuth added to the addons in the manifest (~0:07 in the video). https://git.cloudron.io/cloudron/box/-/blob/master/src/proxyauth.js and there is the nginx config https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L238

                1 Reply Last reply
                2
                • marcusquinnM Offline
                  marcusquinnM Offline
                  marcusquinn
                  wrote on last edited by
                  #7

                  Oooo, swish! Nicely done!

                  Web Design https://www.evergreen.je
                  Development https://brandlight.org
                  Life https://marcusquinn.com

                  1 Reply Last reply
                  0
                  • mehdiM Offline
                    mehdiM Offline
                    mehdi
                    App Dev
                    wrote on last edited by
                    #8

                    @girish this looks lovely !

                    Suggestions:

                    • you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
                    • for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
                    girishG 1 Reply Last reply
                    2
                    • mehdiM mehdi

                      @girish this looks lovely !

                      Suggestions:

                      • you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
                      • for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
                      girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #9

                      @mehdi said in proxyAuth addon:

                      allow the request if there are BasicAuth credentials

                      Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1

                      1 Reply Last reply
                      2
                      • nebulonN nebulon

                        So the idea is to put some kind of "framework" into the base image, which can be used by apps? Wouldn't that anyways still not mean that an app needs to be patched for at least the logout action? Also would we do this as a php set of features? I do like to not pull this into the platform code as such, as that does not increase dependency on that.

                        Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

                        ei8fdbE Offline
                        ei8fdbE Offline
                        ei8fdb
                        wrote on last edited by
                        #10

                        @nebulon said in What's coming in 6.0 (take 2):

                        Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

                        As I understand it, these are personal media apps, right? Is there therefore a need to logout?

                        What would happen if a user was able to login, but not log-out? They could close the browser window?

                        girishG 1 Reply Last reply
                        0
                        • ei8fdbE ei8fdb

                          @nebulon said in What's coming in 6.0 (take 2):

                          Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

                          As I understand it, these are personal media apps, right? Is there therefore a need to logout?

                          What would happen if a user was able to login, but not log-out? They could close the browser window?

                          girishG Offline
                          girishG Offline
                          girish
                          Staff
                          wrote on last edited by
                          #11

                          @ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.

                          ei8fdbE 1 Reply Last reply
                          1
                          • girishG girish

                            @ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.

                            ei8fdbE Offline
                            ei8fdbE Offline
                            ei8fdb
                            wrote on last edited by
                            #12

                            @girish Gotcha.

                            OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

                            girishG fbartelsF 2 Replies Last reply
                            0
                            • ei8fdbE ei8fdb

                              @girish Gotcha.

                              OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

                              girishG Offline
                              girishG Offline
                              girish
                              Staff
                              wrote on last edited by
                              #13

                              @ei8fdb Indeed, other apps are transmissions, cloud torrent. They can all use this addon.

                              1 Reply Last reply
                              0
                              • ei8fdbE ei8fdb

                                @girish Gotcha.

                                OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

                                fbartelsF Offline
                                fbartelsF Offline
                                fbartels
                                App Dev
                                wrote on last edited by
                                #14

                                @ei8fdb said in proxyAuth addon:

                                surfer

                                Surfer has auth for it's backend

                                1 Reply Last reply
                                0
                                • saikarthikS Offline
                                  saikarthikS Offline
                                  saikarthik
                                  wrote on last edited by saikarthik
                                  #15
                                  This post is deleted!
                                  1 Reply Last reply
                                  0
                                  • LonkleL Offline
                                    LonkleL Offline
                                    Lonkle
                                    wrote on last edited by
                                    #16

                                    Heck, I'd probably switch to this option if my app didn't need to use LDAP to also grab an access token to get permission to restart and repair apps on-demand (if it doesn't already have an app access token, that is).

                                    1 Reply Last reply
                                    0
                                    • girishG girish

                                      Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.

                                      Recently, there is a bunch of apps that require an auth wall including:

                                      • Prometheus server/alert manager
                                      • Cloud torrent
                                      • Transmission
                                      • Apps like surfer
                                      • Many of our internal apps

                                      I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:

                                      "addons": {
                                          "proxyAuth": {}
                                      }
                                      

                                      Just like the ldap addon, user can then select which users/groups can authenticate. If the manifest also has optionalSso, then user can choose to let the app have no auth wall altogether.

                                      When using this feature, two routes are "reserved" - /login and /logout. Some benefits of having this on the platform side (as opposed in the app are):

                                      • 2FA login
                                      • Session management in the user's profile page. i.e can logout from apps etc
                                      • Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...

                                      I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!

                                      ? Offline
                                      ? Offline
                                      A Former User
                                      wrote on last edited by A Former User
                                      #17

                                      @girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.

                                      What I invision is basically the following use cases:

                                      • an empty list of routes -> all routes are protected
                                      • a list of routes is provided -> only the specified routes are protected

                                      I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.

                                      Example:

                                      proxyAuth: {
                                          routes: [
                                              'admin',
                                              'profile'
                                          ],
                                      }
                                      

                                      EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.

                                      girishG 1 Reply Last reply
                                      0
                                      • ? A Former User

                                        @girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.

                                        What I invision is basically the following use cases:

                                        • an empty list of routes -> all routes are protected
                                        • a list of routes is provided -> only the specified routes are protected

                                        I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.

                                        Example:

                                        proxyAuth: {
                                            routes: [
                                                'admin',
                                                'profile'
                                            ],
                                        }
                                        

                                        EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.

                                        girishG Offline
                                        girishG Offline
                                        girish
                                        Staff
                                        wrote on last edited by
                                        #18

                                        @atrilahiji said in proxyAuth addon:

                                        How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app

                                        Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.

                                        Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?

                                        I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.

                                        ? 1 Reply Last reply
                                        2
                                        • girishG girish

                                          @atrilahiji said in proxyAuth addon:

                                          How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app

                                          Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.

                                          Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?

                                          I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.

                                          ? Offline
                                          ? Offline
                                          A Former User
                                          wrote on last edited by
                                          #19

                                          @girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!

                                          girishG 1 Reply Last reply
                                          0
                                          • ? A Former User

                                            @girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!

                                            girishG Offline
                                            girishG Offline
                                            girish
                                            Staff
                                            wrote on last edited by
                                            #20

                                            @atrilahiji I just recently pushed it 🙂

                                            1 Reply Last reply
                                            0
                                            Reply
                                            • Reply as topic
                                            Log in to reply
                                            • Oldest to Newest
                                            • Newest to Oldest
                                            • Most Votes


                                              • Login

                                              • Don't have an account? Register

                                              • Login or register to search.
                                              • First post
                                                Last post
                                              0
                                              • Categories
                                              • Recent
                                              • Tags
                                              • Popular
                                              • Bookmarks
                                              • Search