Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    proxyAuth addon

    App Packaging & Development
    15
    53
    647
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • girish
      girish Staff last edited by girish

      Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.

      Recently, there is a bunch of apps that require an auth wall including:

      • Prometheus server/alert manager
      • Cloud torrent
      • Transmission
      • Apps like surfer
      • Many of our internal apps

      I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:

      "addons": {
          "proxyAuth": {}
      }
      

      Just like the ldap addon, user can then select which users/groups can authenticate. If the manifest also has optionalSso, then user can choose to let the app have no auth wall altogether.

      When using this feature, two routes are "reserved" - /login and /logout. Some benefits of having this on the platform side (as opposed in the app are):

      • 2FA login
      • Session management in the user's profile page. i.e can logout from apps etc
      • Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...

      I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!

      atrilahiji N 2 Replies Last reply Reply Quote 13
      • Lonk
        Lonk last edited by

        I thought this would be a year away at least. This is amazing work. Thanks @girish and @mehdi!

        1 Reply Last reply Reply Quote 0
        • girish
          girish Staff last edited by

          I took a screen cap

          Youtube Video

          1 Reply Last reply Reply Quote 5
          • girish
            girish Staff last edited by girish

            I was berated by @nebulon for not using our peertube instance 🙂 So, here you go:

            https://videos.cloudron.io/videos/watch/7774aa02-2256-4f76-b626-9ed78d96f535

            fbartels 1 Reply Last reply Reply Quote 7
            • fbartels
              fbartels App Dev @girish last edited by

              @girish do I get it right, that this is basically done without any modification of the app itself? Just turn on the add on and it will be used automatically?

              girish 1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @fbartels last edited by

                @fbartels Correct. Just the one line added proxyAuth added to the addons in the manifest (~0:07 in the video). https://git.cloudron.io/cloudron/box/-/blob/master/src/proxyauth.js and there is the nginx config https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L238

                1 Reply Last reply Reply Quote 2
                • marcusquinn
                  marcusquinn last edited by

                  Oooo, swish! Nicely done!

                  1 Reply Last reply Reply Quote 0
                  • mehdi
                    mehdi App Dev last edited by

                    @girish this looks lovely !

                    Suggestions:

                    • you could (possibly as an option) do like I do in the Transmission custom auth wall, and allow the request if there are BasicAuth credentials. This would allow Transmission to do away with its custom auth thing completely
                    • for more advanced use, you could allow this to be restricted to certain URLs in the app (again, as an option)
                    girish 1 Reply Last reply Reply Quote 2
                    • girish
                      girish Staff @mehdi last edited by

                      @mehdi said in proxyAuth addon:

                      allow the request if there are BasicAuth credentials

                      Done (I saw what you did for transmission and did similar) ! https://git.cloudron.io/cloudron/box/-/commit/641704a74107fab7c54220428b7d4df3676f51d1

                      1 Reply Last reply Reply Quote 2
                      • ei8fdb
                        ei8fdb @nebulon last edited by

                        @nebulon said in What's coming in 6.0 (take 2):

                        Alternately, we could certainly add a login screen served up with some kind of session. The question then, as already mentioned, is how to logout. We could provide the app with a logout link, still that needs patching the app to some extent.

                        As I understand it, these are personal media apps, right? Is there therefore a need to logout?

                        What would happen if a user was able to login, but not log-out? They could close the browser window?

                        girish 1 Reply Last reply Reply Quote 0
                        • girish
                          girish Staff @ei8fdb last edited by

                          @ei8fdb I moved your comment to this topic. I think the auth wall applies to all apps which don't have a notion of user management. For example, apps like prometheus etc as well.

                          ei8fdb 1 Reply Last reply Reply Quote 1
                          • ei8fdb
                            ei8fdb @girish last edited by

                            @girish Gotcha.

                            OK. I've used 2 apps that (I think) don't have user management natively - youtube-del and surfer files app. Is that right?

                            girish fbartels 2 Replies Last reply Reply Quote 0
                            • girish
                              girish Staff @ei8fdb last edited by

                              @ei8fdb Indeed, other apps are transmissions, cloud torrent. They can all use this addon.

                              1 Reply Last reply Reply Quote 0
                              • fbartels
                                fbartels App Dev @ei8fdb last edited by

                                @ei8fdb said in proxyAuth addon:

                                surfer

                                Surfer has auth for it's backend

                                1 Reply Last reply Reply Quote 0
                                • S
                                  saikarthik last edited by saikarthik

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • Lonk
                                    Lonk last edited by

                                    Heck, I'd probably switch to this option if my app didn't need to use LDAP to also grab an access token to get permission to restart and repair apps on-demand (if it doesn't already have an app access token, that is).

                                    1 Reply Last reply Reply Quote 0
                                    • atrilahiji
                                      atrilahiji App Dev @girish last edited by atrilahiji

                                      @girish I have a request/question. How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app? For example, if someone wanted to make a cloudron specific app for personal use, would it be possible to allow this plugin to do the heavy lifting in terms of auth and protect routes like /admin, for instance.

                                      What I invision is basically the following use cases:

                                      • an empty list of routes -> all routes are protected
                                      • a list of routes is provided -> only the specified routes are protected

                                      I think this could be a game changer for using Cloudron for business apps or people building out their dev stack entirely on Cloudron without compromising the simplicity of the feature.

                                      Example:

                                      proxyAuth: {
                                          routes: [
                                              'admin',
                                              'profile'
                                          ],
                                      }
                                      

                                      EDIT: Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc? I realize I am probably your worst nightmare with these requests but just thought I'd try.

                                      girish 1 Reply Last reply Reply Quote 0
                                      • girish
                                        girish Staff @atrilahiji last edited by

                                        @atrilahiji said in proxyAuth addon:

                                        How tedious would it be to incorporate a way to allow customization of the plugin to specify which routes should be protected in the app

                                        Currently, up to 1 route can be protected - https://docs.cloudron.io/custom-apps/addons/#proxyauth . So, it's basically what you are asking for except that only one route can be protected.

                                        Also, this just came to my mind: can apps using this plugin access the LDAP info like name, email, etc?

                                        I guess we have to make up some HTTP headers to pass on this info like X-REMOTE-USER or something.

                                        atrilahiji 1 Reply Last reply Reply Quote 2
                                        • atrilahiji
                                          atrilahiji App Dev @girish last edited by

                                          @girish Wow I totally didn't realize there were docs for it. Sorry for bugging you!

                                          girish 1 Reply Last reply Reply Quote 0
                                          • girish
                                            girish Staff @atrilahiji last edited by

                                            @atrilahiji I just recently pushed it 🙂

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post