Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Powerful authentication with caddy-security #199

Open
CrazyPython opened this issue Jun 9, 2023 · 3 comments
Open

Powerful authentication with caddy-security #199

CrazyPython opened this issue Jun 9, 2023 · 3 comments

Comments

@CrazyPython
Copy link

CrazyPython commented Jun 9, 2023

Hi,

I'm using caddy-security to authenticate requests: https://authp.github.io/

Caddy is a reverse-proxying web server like NGINX. It automatically sets up HTTPS transparently. Caddy-security is a Caddy plugin that allows creating an auth portal that supports email-based registration as well as OAuth providers like Google or Discord and passwordless authentication via email and SMS.

Once authenticated, caddy-security can pass information downstream: https://authp.github.io/docs/authorize/headers

    "X-Token-Subject": "webadmin"
    "X-Token-User-Name": "Web Administrator"
    "X-Token-User-Email": "[email protected]"
    "X-Token-User-Roles": "superadmin guest anonymous"

Because caddy-security has verified the user, there is no need for Mycorrhiza itself to store any authentication credentials.

I would like to add Mycorrhiza to add support for header-based authentication compatible with caddy-security, as a third option to no auth and password auth. To implement support, a user should be logged into the username corresponding to X-Token-Subject, and if an account does not exist, it should be created.

You could point Mycorrizha users to using caddy-security as the default method, so that you don't need to implement any of this yourself. Caddy can be set up behind or in front of an existing web server and is a statically linked Go executable.

I'm not a Caddy developer, I just think this is the easiest and most ergonomic way to add security to Mycorrhiza.

@bouncepaw
Copy link
Owner

Caddy sounds fun. I guess one can already use this system, if they set up the wiki to be anonymous and set up this portal. It's like Basic Auth advanced replacement, right?

Would the following be enough to implement the feature?:

  • Add a toggle in configuration: “Enable Caddy portal”.
  • If there is that username header, authorize with that username.
  • Deny the usual login procedure (ie /login and /register) would do nothing.

@CrazyPython
Copy link
Author

Yup, that would be enough!

@CrazyPython
Copy link
Author

The only thing missing would be assigning Mycorrhiza groups based on X-Token-User-Roles. You'd detect myco/editor, myco/trusted, myco/moderator, and myco/admin and give the user the highest role in the header.

However, this only adds a little bit of value, and if it's at all difficult to implement, I'd much prefer you just implement username authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants