Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

proxyAuth addon

Scheduled Pinned Locked Moved App Packaging & Development
54 Posts 15 Posters 2.8k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by girish
    #1

    Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.

    Recently, there is a bunch of apps that require an auth wall including:

    • Prometheus server/alert manager
    • Cloud torrent
    • Transmission
    • Apps like surfer
    • Many of our internal apps

    I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:

    "addons": {
        "proxyAuth": {}
    }
    

    Just like the ldap addon, user can then select which users/groups can authenticate. If the manifest also has optionalSso, then user can choose to let the app have no auth wall altogether.

    When using this feature, two routes are "reserved" - /login and /logout. Some benefits of having this on the platform side (as opposed in the app are):

    • 2FA login
    • Session management in the user's profile page. i.e can logout from apps etc
    • Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...

    I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!

    ? njN 2 Replies Last reply
    13
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    wrote on last edited by
    #2

    I thought this would be a year away at least. This is amazing work. Thanks @girish and @mehdi!

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #3

    I took a screen cap

    1 Reply Last reply
    5
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by girish
    #4

    I was berated by @nebulon for not using our peertube instance 🙂 So, here you go:

    https://videos.cloudron.io/videos/watch/7774aa02-2256-4f76-b626-9ed78d96f535

    fbartelsF 1 Reply Last reply
    7
  • fbartelsF Offline
    fbartelsF Offline
    fbartels App Dev
    replied to girish on last edited by
    #5

    @girish do I get it right, that this is basically done without any modification of the app itself? Just turn on the add on and it will be used automatically?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to fbartels on last edited by
    #6

    @fbartels Correct. Just the one line added proxyAuth added to the addons in the manifest (~0:07 in the video). https://git.cloudron.io/cloudron/box/-/blob/master/src/proxyauth.js and there is the nginx config https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L238

    1 Reply Last reply
    2
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by
    #7

    Oooo, swish! Nicely done!

    We're not here for a long time - but we are here for a good time :)
    Jersey/UK
    Work & Ecommerce Advice: https://brandlight.org
    Personal & Software Tips: https://marcusquinn.com

    1 Reply Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    wrote on last edited by
    #8

    @girish this looks lovely !

    Suggestions:

    • you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
    • for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
    girishG 1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    replied to mehdi on last edited by
    #9

    @mehdi said in proxyAuth addon:

    allow the request if there are BasicAuth credentials

    Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1

    1 Reply Last reply
    2
  • ei8fdbE Offline
    ei8fdbE Offline
    ei8fdb
    replied to nebulon on last edited by
    #10

    @nebulon said in What's coming in 6.0 (take 2):

    Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

    As I understand it, these are personal media apps, right? Is there therefore a need to logout?

    What would happen if a user was able to login, but not log-out? They could close the browser window?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to ei8fdb on last edited by
    #11

    @ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.

    ei8fdbE 1 Reply Last reply
    1
  • ei8fdbE Offline
    ei8fdbE Offline
    ei8fdb
    replied to girish on last edited by
    #12

    @girish Gotcha.

    OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

    girishG fbartelsF 2 Replies Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to ei8fdb on last edited by
    #13

    @ei8fdb Indeed, other apps are transmissions, cloud torrent. They can all use this addon.

    1 Reply Last reply
    0
  • fbartelsF Offline
    fbartelsF Offline
    fbartels App Dev
    replied to ei8fdb on last edited by
    #14

    @ei8fdb said in proxyAuth addon:

    surfer

    Surfer has auth for it's backend

    1 Reply Last reply
    0
  • S Offline
    S Offline
    saikarthik
    wrote on last edited by saikarthik
    #15
    This post is deleted!
    1 Reply Last reply
    0
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    wrote on last edited by
    #16

    Heck, I'd probably switch to this option if my app didn't need to use LDAP to also grab an access token to get permission to restart and repair apps on-demand (if it doesn't already have an app access token, that is).

    1 Reply Last reply
    0
  • ? Offline
    ? Offline
    A Former User
    replied to girish on last edited by A Former User
    #17

    @girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.

    What I invision is basically the following use cases:

    • an empty list of routes -> all routes are protected
    • a list of routes is provided -> only the specified routes are protected

    I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.

    Example:

    proxyAuth: {
        routes: [
            'admin',
            'profile'
        ],
    }
    

    EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to A Former User on last edited by
    #18

    @atrilahiji said in proxyAuth addon:

    How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app

    Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.

    Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?

    I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.

    ? 1 Reply Last reply
    2
  • ? Offline
    ? Offline
    A Former User
    replied to girish on last edited by
    #19

    @girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to A Former User on last edited by
    #20

    @atrilahiji I just recently pushed it 🙂

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.