proxyAuth addon

girish

Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.

Recently, there is a bunch of apps that require an auth wall including:

• Prometheus server/alert manager
• Cloud torrent
• Transmission
• Apps like surfer
• Many of our internal apps

I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:

"addons": {
    "proxyAuth": {}
}

Just like the ldap addon, user can then select which users/groups can authenticate. If the manifest also has optionalSso, then user can choose to let the app have no auth wall altogether.

When using this feature, two routes are "reserved" - /login and /logout. Some benefits of having this on the platform side (as opposed in the app are):

• 2FA login
• Session management in the user's profile page. i.e can logout from apps etc
• Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...

I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!

Lonkle

I thought this would be a year away at least. This is amazing work. Thanks @girish and @mehdi!

girish

I took a screen cap

girish

I was berated by @nebulon for not using our peertube instance So, here you go:

https://videos.cloudron.io/videos/watch/7774aa02-2256-4f76-b626-9ed78d96f535

fbartels

@girish do I get it right, that this is basically done without any modification of the app itself? Just turn on the add on and it will be used automatically?

girish

@fbartels Correct. Just the one line added proxyAuth added to the addons in the manifest (~0:07 in the video). https://git.cloudron.io/cloudron/box/-/blob/master/src/proxyauth.js and there is the nginx config https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L238

marcusquinn

Oooo, swish! Nicely done!

mehdi

@girish this looks lovely !

Suggestions:

• you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
• for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)

girish

@mehdi said in proxyAuth addon:

allow the request if there are BasicAuth credentials

Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1

ei8fdb

@nebulon said in What's coming in 6.0 (take 2):

Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

As I understand it, these are personal media apps, right? Is there therefore a need to logout?

What would happen if a user was able to login, but not log-out? They could close the browser window?

girish

@ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.

ei8fdb

@girish Gotcha.

OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

girish

@ei8fdb Indeed, other apps are transmissions, cloud torrent. They can all use this addon.

fbartels

@ei8fdb said in proxyAuth addon:

surfer

Surfer has auth for it's backend

saikarthik

This post is deleted!

Lonkle

Heck, I'd probably switch to this option if my app didn't need to use LDAP to also grab an access token to get permission to restart and repair apps on-demand (if it doesn't already have an app access token, that is).

A Former User

@girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.

What I invision is basically the following use cases:

• an empty list of routes -> all routes are protected
• a list of routes is provided -> only the specified routes are protected

I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.

Example:

proxyAuth: {
    routes: [
        'admin',
        'profile'
    ],
}

EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.

girish

@atrilahiji said in proxyAuth addon:

How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app

Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.

Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?

I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.

A Former User

@girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!

girish

@atrilahiji I just recently pushed it