proxyAuth addon
-
Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.
Recently, there is a bunch of apps that require an auth wall including:
- Prometheus server/alert manager
- Cloud torrent
- Transmission
- Apps like surfer
- Many of our internal apps
I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:
"addons": { "proxyAuth": {} }
Just like the
ldap
addon, user can then select which users/groups can authenticate. If the manifest also hasoptionalSso
, then user can choose to let the app have no auth wall altogether.When using this feature, two routes are "reserved" -
/login
and/logout
. Some benefits of having this on the platform side (as opposed in the app are):- 2FA login
- Session management in the user's profile page. i.e can logout from apps etc
- Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...
I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!
-
@fbartels Correct. Just the one line added
proxyAuth
added to the addons in the manifest (~0:07 in the video). https://git.cloudron.io/cloudron/box/-/blob/master/src/proxyauth.js and there is the nginx config https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L238 -
Oooo, swish! Nicely done!
-
@girish this looks lovely !
Suggestions:
- you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
- for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
-
@mehdi said in proxyAuth addon:
allow the request if there are BasicAuth credentials
Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1
-
@nebulon said in What's coming in 6.0 (take 2):
Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.
As I understand it, these are personal media apps, right? Is there therefore a need to logout?
What would happen if a user was able to login, but not log-out? They could close the browser window?
-
This post is deleted!
-
@girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.
What I invision is basically the following use cases:
- an empty list of routes -> all routes are protected
- a list of routes is provided -> only the specified routes are protected
I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.
Example:
proxyAuth: { routes: [ 'admin', 'profile' ], }
EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.
-
@atrilahiji said in proxyAuth addon:
How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app
Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.
Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?
I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.