apply basic auth to all endpoints except for one (or excluded pattern)

Question

apply basic auth to all endpoints except for one (or excluded pattern)

chris48s opened this issue 6 years ago · comments

Hi.
Thanks for this package. I am using it to apply a basic auth restriction to staging deploys for a couple of my websites.

I host my sites on AWS behind an Elastic Load Balancer (ELB). When you set up an ELB, you give it a 'health check' URL. The Load Balancer periodically requests this URL and checks the responses status is 200 OK to ensure the server is 'healthy'. If it gets anything other than a 200 OK, it marks the server as unhealthy. The load balancer doesn't have the option to pass auth credentials.

What this means is I want to set up my staging deploys with basic auth applied to every endpoint except for one which isn't protected so that the load balancer can ping that endpoint and get a 200 OK rather than a 401 Unauthorized. Every other route should be behind basic auth. For obvious reasons, it is cumbersome to decorate every view other than one with @basic_auth_required so they way I've done this is by subclassing BasicAuthMiddleware so that I can turn on basic auth for everything but then whitelist one endpoint using a regex. I've taken inspiration from the old django-moat package which is no longer maintained but did have this feature.
example: https://github.com/DemocracyClub/EveryElection/blob/master/every_election/apps/core/middleware.py

2 questions:

Is there a better way of doing this that I am missing?
If not, would you accept a PR to add this feature to the package?

Cheers

Felix Breidenstein · Answer 1 · Mon Jul 27 2020 22:02:53 GMT+0800 (China Standard Time)

This is probably no longer relevant to the OP anymore, but for everyone who stumbles across this in the future:
Just use an ALB instead of en ELB, then you can configure a list of HTTP status codes that are considered healthy.

Nonetheless this would a cool feature for this library imho :)

Hiroki Kiyohara · Answer 2 · Tue Nov 17 2020 11:18:24 GMT+0800 (China Standard Time)

I understood what you need.
Basically, I recommend to use Nginx (or some Web server) to return 200 for healthcheck.
You can make /healthcheck URL or so.

But your proposal makes sense for me.
So I left this issue.

Felix Breidenstein · Answer 3 · Mon Nov 23 2020 16:08:04 GMT+0800 (China Standard Time)

Slightly offtopic, but this is imho a bad practice, because the only thing you are checking this way is if your nginx is alive and not if your website is running because your application server behind nginx can be dead and the healthcheck would still return 200, therefore the health endpoint should be handelt by the application itself (which checks the both web and application server) and ideally even check stuff like e.g. the database connection before returning a 200.