Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    proxyAuth addon

    App Packaging & Development
    15
    53
    647
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • girish
      girish Staff @jimcavoli last edited by

      @jimcavoli Indeed, that's not something I designed for. How complicated can these rules get ? Atleast, https://docs.n8n.io/reference/security.html does not seems to have any more information. Or should I just add a publicPath property (singular) and that's enough ? I like to under-design these things and extend them as use cases come.

      mehdi 1 Reply Last reply Reply Quote 1
      • mehdi
        mehdi App Dev @girish last edited by

        @girish I think the best would be to have the path in proxyAuth be an array, where given paths can be either positive or negative. It's the way things like .gitignore work.

        For example, in this case, it would be:

        {
          "proxyAuth": [
            "/",
            "!/webbooks/"
          ]
        }
        
        T 1 Reply Last reply Reply Quote 3
        • T
          thetomester13 App Dev @mehdi last edited by

          @mehdi I like this solution and its flexibility. It could also be backwards compatible with the currently version - if no paths are specified, everything is auth'ed.

          1 Reply Last reply Reply Quote 1
          • jimcavoli
            jimcavoli App Dev last edited by

            Agree on the default behavior - I imagine it's unlikely that anything more specific than path-level exceptions are unlikely. Perhaps as an extension to the solution that @mehdi suggests, we could extend the existing format of:

            {
              "proxyAuth": {
                "path": "/admin" 
              }
            }
            

            To take exceptions:

            {
              "proxyAuth": {
                "path": "/admin" ,
                "exclude": [
                  "/webhook",
                  "/
                ]
              }
            }
            

            Or with probably over-the-top features, make everything a map of path and exception(s):

            {
              "proxyAuth": {
                "paths": {
                  "/" : [
                    "/webhook",
                    "/public"
                  ],
                  "/admin": []
                }
              }
            }
            

            Honestly, I appreciate the minimal-first approach, and I think the middle option of adding a (understood to be auto-wildcarded) array of exclusions is the easier next step. I can't imagine anything that would need the super-complex variant would be something that would or should rely on such a mechanism to secure it.

            girish 1 Reply Last reply Reply Quote 0
            • N
              nj @girish last edited by

              @girish I don't see the 2FA code prompt on the login page of Simple Torrent. Am I missing something?

              Some benefits of having this on the platform side (as opposed in the app are):

              • 2FA login
              mehdi 1 Reply Last reply Reply Quote 0
              • mehdi
                mehdi App Dev @nj last edited by

                @nj I don't think this is implemented either:

                • Session management in the user's profile page. i.e can logout from apps etc

                I think @girish just meant that it would be possible to implement this in the future, not that it would be in the first version of proxyAuth.

                1 Reply Last reply Reply Quote 0
                • girish
                  girish Staff last edited by

                  @nj I have logged it here - https://git.cloudron.io/cloudron/box/-/issues/748 . As @mehdi said, it wasn't implemented as part of the first iteration of proxyAuth.

                  1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff @jimcavoli last edited by

                    @jimcavoli Shall I go with path: "!/webhooks" for now? Will this be enough for n8n ?

                    jimcavoli 1 Reply Last reply Reply Quote 0
                    • jimcavoli
                      jimcavoli App Dev @girish last edited by

                      @girish Yeah, that would be enough for n8n I think, though if we're going to go that route, I think making paths an array of either path(s) and/or ! paths makes the most sense in general (at least somehow providing for the option of multiple excluded paths)

                      girish 1 Reply Last reply Reply Quote 0
                      • girish
                        girish Staff @jimcavoli last edited by

                        @jimcavoli won't having it plural cause some confusing semantics if you mix ! and no ! paths ? Let me think 🤔

                        mehdi S 2 Replies Last reply Reply Quote 0
                        • mehdi
                          mehdi App Dev @girish last edited by

                          @girish It works for .gitignore files 🤷

                          girish 1 Reply Last reply Reply Quote 1
                          • girish
                            girish Staff @mehdi last edited by

                            @mehdi great point. I can copy what they do.

                            M 1 Reply Last reply Reply Quote 1
                            • M
                              murgero App Dev @girish last edited by murgero

                              @girish Currently I have an app that this does not work on - is there something special I need to do in the app beyond adding the addon to the addon list?

                              Edit: I am blind I swear - just formatted the JSON incorrectly for the manifest.

                              1 Reply Last reply Reply Quote 1
                              • S
                                saikarthik @girish last edited by

                                @girish Hi Girish, what is the status of this? selectively exposing certain paths to public?

                                mehdi 1 Reply Last reply Reply Quote 0
                                • mehdi
                                  mehdi App Dev @saikarthik last edited by

                                  @saikarthik Girish answered here : https://forum.cloudron.io/post/23886

                                  Yes, proxyAuth exclusion is implemented. I only implemented a simple approach with a ! pattern for now (not an array).

                                  1 Reply Last reply Reply Quote 1
                                  • H
                                    hendrikvl last edited by

                                    I have a question regarding the proxyAuth addon: If I understand it correctly, it has to added to the manifest file and therefore is only suitable for custom apps. How about an option to enable it for apps that have built-in authentication as well?

                                    In my case, I would like to hide the public site of an Shaarli-instance behind the proxyAuth login. Such that authenticated users can browse the public page and I can additionally login using the builtin auth as admin.
                                    I know, that this usecase is somewhat specific and customary, but it is just meant as an example of possible use cases for an proxyAuth-option with the standard apps.

                                    mehdi girish 2 Replies Last reply Reply Quote 0
                                    • mehdi
                                      mehdi App Dev @hendrikvl last edited by

                                      @hendrikvl I don't use Shaarli, so I don't know about it very well, but in my opinion, the clean way to do this would be to request the upstream project (Shaarli) to allow an option to protect stuff behind its own auth wall, and have 2 types of users, normal & admin. It seems "hacky" to me to solve this usecase with Cloudron's proxyAuth

                                      1 Reply Last reply Reply Quote 2
                                      • girish
                                        girish Staff @hendrikvl last edited by

                                        @hendrikvl Currently, proxyAuth is designed for cases where the app has no user management at all. I think if an app already has user support like shaarli, it's best to ask the upstream project to password protect the public page as @mehdi suggests. BTW, if you post a request upstream, please do post the link here.

                                        M H 2 Replies Last reply Reply Quote 1
                                        • M
                                          murgero App Dev @girish last edited by

                                          @girish This plugin works amazing on my alpha build of code-server. Works like a treat.

                                          1 Reply Last reply Reply Quote 3
                                          • H
                                            hendrikvl @girish last edited by

                                            @girish @mehdi Thanks for your replies. Since Shaarli is designed as a single-user application, I don't see much chances of getting LDAP integration implemented for the public page.
                                            But you're of course right, that my proposal for the Shaarli public page is a bit "hacky". It was rather meant as an example of what a dynamic proxyAuth-option could be used for. My thought was, that others might have a need for such an option in similar situations as well.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post