Giters

bouncepaw / mycorrhiza

🍄📑 Filesystem and git-based wiki engine for the independent web written in Go using Mycomarkup as its primary markup language.

Home Page:https://mycorrhiza.wiki

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Powerful authentication with caddy-security

CrazyPython opened this issue · comments

commented

Hi,

I'm using caddy-security to authenticate requests: https://authp.github.io/

Caddy is a reverse-proxying web server like NGINX. It automatically sets up HTTPS transparently. Caddy-security is a Caddy plugin that allows creating an auth portal that supports email-based registration as well as OAuth providers like Google or Discord and passwordless authentication via email and SMS.

Once authenticated, caddy-security can pass information downstream: https://authp.github.io/docs/authorize/headers

    "X-Token-Subject": "webadmin"
    "X-Token-User-Name": "Web Administrator"
    "X-Token-User-Email": "webadmin@localdomain.local"
    "X-Token-User-Roles": "superadmin guest anonymous"

Because caddy-security has verified the user, there is no need for Mycorrhiza itself to store any authentication credentials.

I would like to add Mycorrhiza to add support for header-based authentication compatible with caddy-security, as a third option to no auth and password auth. To implement support, a user should be logged into the username corresponding to X-Token-Subject, and if an account does not exist, it should be created.

You could point Mycorrizha users to using caddy-security as the default method, so that you don't need to implement any of this yourself. Caddy can be set up behind or in front of an existing web server and is a statically linked Go executable.

I'm not a Caddy developer, I just think this is the easiest and most ergonomic way to add security to Mycorrhiza.

commented

Caddy sounds fun. I guess one can already use this system, if they set up the wiki to be anonymous and set up this portal. It's like Basic Auth advanced replacement, right?

Would the following be enough to implement the feature?:

  • Add a toggle in configuration: “Enable Caddy portal”.
  • If there is that username header, authorize with that username.
  • Deny the usual login procedure (ie /login and /register) would do nothing.
commented

Yup, that would be enough!

commented

The only thing missing would be assigning Mycorrhiza groups based on X-Token-User-Roles. You'd detect myco/editor, myco/trusted, myco/moderator, and myco/admin and give the user the highest role in the header.

However, this only adds a little bit of value, and if it's at all difficult to implement, I'd much prefer you just implement username authentication.