meli icon indicating copy to clipboard operation
meli copied to clipboard

Published 20 hours ago verified publisher icon getmeli

Protect sites with user authentication

Open mtiller opened this issue 2 years ago • 4 comments

It would be nice to have the option to protect the sites with effectively the same authentication that protects the API and the UI. What I mean is, if I configure Gitlab as my authentication provider (to log into Meli), it would be nice to have the option to use exactly the same authentication the protect the sites.

This isn't super important for us right now because we run Meli on prem. But if we run it in public cloud infrastructure, many of the sites we would be pushing are meant for internal use and the viewers of the web sites are the same set of people as the "users".

Just a thought.

mtiller avatar Feb 01 '22 14:02 mtiller

I have a question here (for @gempain?). Does the API do its own authentication checking? It looks like the API checks authentication for users but the caddy configuration has checks as well but these appear to be only for the "password protection" checks. Is this correct? I'm hoping not because I was hoping to just add an option to have caddy slip in a verification of user tokens as a guard if so configured (to address this issue). But I'm a bit worried that caddy doesn't actually pay any attention to user tokens. Oui ou non?

mtiller avatar Feb 02 '22 22:02 mtiller

@mtiller you're right, Caddy doesn't do the user token checks, it only the site protection as those credentials are static. API token authentication and authorization is fully delegated to the express app, which allows us to do awesome checks like allowing a token to access a single endpoint or have an expiration date. To be more specific, we have the authorizeApiReq express middleware that validates your API token and extracts the endpoints you gave it access to. This middleware loads your api token and user data and stores them in req.apiToken and req.user which are then used by the apiGuard . This guard is automatically added to API endpoints registered via apiEndpoint when an apiScope is provided, as for example done here.

gempain avatar Feb 02 '22 23:02 gempain

I don't know what to do about this ticket. It looks like this wouldn't be an easy thing to add because of this dichotomy in authentication schemes. But I did a tiny bit of research and it seems to me (admittedly a total novice with caddy) that something like this might open up a nice set of options:

https://github.com/greenpau/caddy-security/blob/main/README.md

mtiller avatar Feb 03 '22 17:02 mtiller

I think Caddy offers an option to authenticate with JWT tokens and you can provide a custom endpoint to call for checking these tokens. I need to think deeper about what impacts this would have.

gempain avatar Feb 04 '22 15:02 gempain