Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect sites with user authentication #245

Open
mtiller opened this issue Feb 1, 2022 · 4 comments
Open

Protect sites with user authentication #245

mtiller opened this issue Feb 1, 2022 · 4 comments
Labels
feature New feature

Comments

@mtiller
Copy link

mtiller commented Feb 1, 2022

It would be nice to have the option to protect the sites with effectively the same authentication that protects the API and the UI. What I mean is, if I configure Gitlab as my authentication provider (to log into Meli), it would be nice to have the option to use exactly the same authentication the protect the sites.

This isn't super important for us right now because we run Meli on prem. But if we run it in public cloud infrastructure, many of the sites we would be pushing are meant for internal use and the viewers of the web sites are the same set of people as the "users".

Just a thought.
@gempain gempain added the feature New feature label Feb 1, 2022
@mtiller mtiller changed the title Protect branches with user authentication Protect sites with user authentication Feb 2, 2022
@mtiller
Copy link
Author

mtiller commented Feb 2, 2022

I have a question here (for @gempain?). Does the API do its own authentication checking? It looks like the API checks authentication for users but the caddy configuration has checks as well but these appear to be only for the "password protection" checks. Is this correct? I'm hoping not because I was hoping to just add an option to have caddy slip in a verification of user tokens as a guard if so configured (to address this issue). But I'm a bit worried that caddy doesn't actually pay any attention to user tokens. Oui ou non?

@gempain
Copy link
Contributor

gempain commented Feb 2, 2022

@mtiller you're right, Caddy doesn't do the user token checks, it only the site protection as those credentials are static. API token authentication and authorization is fully delegated to the express app, which allows us to do awesome checks like allowing a token to access a single endpoint or have an expiration date. To be more specific, we have the authorizeApiReq express middleware that validates your API token and extracts the endpoints you gave it access to. This middleware loads your api token and user data and stores them in req.apiToken and req.user which are then used by the apiGuard . This guard is automatically added to API endpoints registered via apiEndpoint when an apiScope is provided, as for example done here.

@mtiller
Copy link
Author

mtiller commented Feb 3, 2022

I don't know what to do about this ticket. It looks like this wouldn't be an easy thing to add because of this dichotomy in authentication schemes. But I did a tiny bit of research and it seems to me (admittedly a total novice with caddy) that something like this might open up a nice set of options:

https://github.com/greenpau/caddy-security/blob/main/README.md

@gempain
Copy link
Contributor

gempain commented Feb 4, 2022

I think Caddy offers an option to authenticate with JWT tokens and you can provide a custom endpoint to call for checking these tokens. I need to think deeper about what impacts this would have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtiller @gempain