BaGet Is there an option to protect the web dashboard with a login?

I reviewed this https://loic-sharma.github.io/BaGet/ and I cannot find an option to enable a simple login.

Thanks

Oct 04 '21 20:10 jrichardsz

This option is not implemented yet.

Oct 28 '21 13:10 yekanchi

Could you point me to some classes to try it? Thanks

Oct 30 '21 17:10 jrichardsz

Hi you can embed BaGet into a new ASP.NET Core application:

Basic example - This example just exposes BaGet's HTTP API but does not include the UI. It adds BaGet's services, chooses the database and storage providers, and then add BaGet's routes.
More advanced example - This is similar to the previous example but adds the UI and authentication + authorization, plus custom routes for custom logic.

Please note that BaGet's API is not stable yet and we will make breaking changes until we reach 1.0. If you go down this path, expect the need to react to breaking changes. Please let me know if you have additional questions or run into problems!

Oct 30 '21 20:10 loic-sharma

On my devops pipeline I just need:

build a nuget package and push it to nuget server using any kind of official authentication
download the uploaded nuget package using any kind of official authentication
configure the developer ide (visual studio) in read-only mode, just to download nuget packages using any kind of official authentication
open the web dashboard and view the nuget packages using any kind of official authentication

According to my test, current baget server accomplish that.

Changes in the next release will accomplish that minimal requirements using a official Microsoft way?

Until you next release, how can I protect the dashboard with a simple login? Currently is public:

If it was java or nodejs it is really simple add a login.

Or do you point me to another nuget official implementation ready to use with docker?

Thanks for you valuable time.

Regards

Nov 02 '21 16:11 jrichardsz

I added a minimal basic authentication for web endpoints: / and /upload

https://github.com/loic-sharma/BaGet/compare/main...usil:feature-add-basic-auth?expand=1

Summary of the changes (in less than 80 chars)

Add basic authentication to the web endpoints: / and /upload
Credentials are environment variables BAGET_WEB_USER and BAGET_WEB_PASSWORD
If these variables does not exist, baget web endpoints are public (default behavior)
These variables could be set on .env or -e parameter for docker run

Browser test works

credentials prompt

reject bad credentials or cancel auth

but two unit test method fails:

Could you point me to how create a test for unauthorized facts?

Also to do it in a more elegant way:

I tried with Razor Pages authorization unlucky
I tried with a middleware unlucky
I tried with a custom login form unlucky
I tried with ActionExecutingContext unlucky. Is ignored

Also if this feature proceed:

we need to add a force brute attack protection.
we can design the security as a plugin to enable future google and microsoft oauth2 login.

Nov 03 '21 00:11 jrichardsz

Hello,

It looks like your branch only adds authentication to the UI. This makes it a little harder to discover your packages, but, an attacker could still download your packages if they know NuGet's protocol. You'll also want to add authentication for BaGet's API: https://github.com/loic-sharma/BaGet/blob/5fc5072e24d6c374c63a9dfc0fd351c54047b23c/src/BaGet.Web/BaGetEndpointBuilder.cs#L10-L20

A possible solution could be to add a proxy that authenticates all requests to BaGet. For example see these:

https://github.com/loic-sharma/BaGet/issues/36#issuecomment-542175296
https://gist.github.com/DutchCaveman/4287549fc36dace5ac780ce023ddb05a

Could you point me to how create a test for unauthorized facts

It looks like you're using the Request and Response properties. You will need to update the unit tests to mock them here:

https://github.com/loic-sharma/BaGet/blob/5fc5072e24d6c374c63a9dfc0fd351c54047b23c/tests/BaGet.Web.Tests/Pages/IndexModelFacts.cs#L26

Nov 03 '21 02:11 loic-sharma

If someone knows the nuget protocol (internal http endpoints), ApiKey offers a protection. Am I correct?
I will try the proxy. Just one question, the proxy applies for ui pages and internal http endpoints?

Thanks

Nov 03 '21 04:11 jrichardsz

Today API keys only protect package uploads and deletions. You can browse and download packages without providing an API key.

By default the proxy should apply to all pages and API endpoints yup. But you can configure your proxy as you'd wish and leave unauthenticated endpoints if needed.

Nov 03 '21 06:11 loic-sharma

If proxy protects everything, is fine for me.

But If package uploads and deletions are protected with API keys, we need to disable the proxy for them to prevent double protection: proxy and apiKey. Am I correct?

Nov 03 '21 06:11 jrichardsz

Good question. I'm not sure what NuGet does in that scenario, could you try it and let us know your findings?

Nov 03 '21 15:11 loic-sharma