Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

proxyAuth addon

Scheduled Pinned Locked Moved App Packaging & Development
54 Posts 15 Posters 2.8k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    wrote on last edited by
    #8

    @girish this looks lovely !

    Suggestions:

    • you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
    • for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
    girishG 1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    replied to mehdi on last edited by
    #9

    @mehdi said in proxyAuth addon:

    allow the request if there are BasicAuth credentials

    Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1

    1 Reply Last reply
    2
  • ei8fdbE Offline
    ei8fdbE Offline
    ei8fdb
    replied to nebulon on last edited by
    #10

    @nebulon said in What's coming in 6.0 (take 2):

    Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

    As I understand it, these are personal media apps, right? Is there therefore a need to logout?

    What would happen if a user was able to login, but not log-out? They could close the browser window?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to ei8fdb on last edited by
    #11

    @ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.

    ei8fdbE 1 Reply Last reply
    1
  • ei8fdbE Offline
    ei8fdbE Offline
    ei8fdb
    replied to girish on last edited by
    #12

    @girish Gotcha.

    OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

    girishG fbartelsF 2 Replies Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to ei8fdb on last edited by
    #13

    @ei8fdb Indeed, other apps are transmissions, cloud torrent. They can all use this addon.

    1 Reply Last reply
    0
  • fbartelsF Offline
    fbartelsF Offline
    fbartels App Dev
    replied to ei8fdb on last edited by
    #14

    @ei8fdb said in proxyAuth addon:

    surfer

    Surfer has auth for it's backend

    1 Reply Last reply
    0
  • S Offline
    S Offline
    saikarthik
    wrote on last edited by saikarthik
    #15
    This post is deleted!
    1 Reply Last reply
    0
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    wrote on last edited by
    #16

    Heck, I'd probably switch to this option if my app didn't need to use LDAP to also grab an access token to get permission to restart and repair apps on-demand (if it doesn't already have an app access token, that is).

    1 Reply Last reply
    0
  • ? Offline
    ? Offline
    A Former User
    replied to girish on last edited by A Former User
    #17

    @girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.

    What I invision is basically the following use cases:

    • an empty list of routes -> all routes are protected
    • a list of routes is provided -> only the specified routes are protected

    I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.

    Example:

    proxyAuth: {
        routes: [
            'admin',
            'profile'
        ],
    }
    

    EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to A Former User on last edited by
    #18

    @atrilahiji said in proxyAuth addon:

    How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app

    Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.

    Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?

    I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.

    ? 1 Reply Last reply
    2
  • ? Offline
    ? Offline
    A Former User
    replied to girish on last edited by
    #19

    @girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to A Former User on last edited by
    #20

    @atrilahiji I just recently pushed it 🙂

    1 Reply Last reply
    0
  • S Offline
    S Offline
    saikarthik
    wrote on last edited by
    #21

    @girish is there a way to get the username/email from within the app?

    nebulonN 1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    replied to saikarthik on last edited by
    #22

    @saikarthik currently not, I guess the only option would be to add the username/email as a header in the requests?

    jimcavoliJ 1 Reply Last reply
    2
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    replied to nebulon on last edited by
    #23

    @nebulon That would seem a sensible approach. Similar to other gateway authentication solutions I've seen. Definitely would need to restrict trust of those headers either in app or sever configuration though to prevent escalation/impersonation/ato attacks

    nebulonN 1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    replied to jimcavoli on last edited by
    #24

    @jimcavoli is there any risk or impersonation angle, if the reverse proxy always explicitly overwrites that header?

    jimcavoliJ 1 Reply Last reply
    0
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    replied to nebulon on last edited by
    #25

    @nebulon Yes, an always-overwrite would mitigate as well, as long as the edges get tested well, might be the easier solution

    1 Reply Last reply
    0
  • S Offline
    S Offline
    saikarthik
    wrote on last edited by
    #26

    @nebulon @girish is this something that can be added to cloudron? passing logged in username/email ID to apps through the header? Any comments/issues?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to saikarthik on last edited by
    #27

    @saikarthik yup, can surely be added. probably next release.

    1 Reply Last reply
    2

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.