-
-
Notifications
You must be signed in to change notification settings - Fork 678
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Header Authentication - Server Part #312
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joewashear007 can you also look at adding a trusted proxy header auth config option where we can specify cidrs that are allowed to perform header auth? That should help make this a bit more palatable for folks who are security conscious while we still haven't added multi-token support (which would be a first step in allowing us to support better mechanisms like jwts for this).
You should be able to verify the request against the trusted ips using https://github.com/jshttp/proxy-addr#readme which is already available in the project.
I think that should be do able. I hope to get to this this week, |
I am still wanting to work on this, I just haven't gotten the free time to make it happen. |
@twk3 I was looking at this some more tonight and I want to make I am thinking about this correctly. I am assumeing that we want to make a config option that will be for the cidr for auth server. If this is set, when we do an authenticate request, we should check if the sender to see if it is in the range of the cidr we expected, then pass or fail based on that. I am not sure how to best use I see that |
@joewashear007 sorry, you're right. Taking another look, I think you are on the right path, but we can probably just use For reference this is what is done for authetik and this home assistance addon (python so the code doesn't apply here, but I mean in terms of what we are trying to enable) https://github.com/BeryJu/hass-auth-header |
Added a new config option loginMethod that can be password (default) or header for header authentication. This value is returned to the client to be used on the front end
@twk3 I think have gotten this part working. I was able to test multiple cases on my local machine and I think it working nicely:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! I still need to try it out with the client side and review it holistically. In the meantime I've left some minor feedback here.
It seems rather strange to me to do this for this use-case. Normally you would have whitelisting for trusted proxies when you're actually relying on the proxy to provide correct information, such as if the proxy gives you the name of a pre-authenticated user or to pass in the original client IP as otherwise it might be possible for a malicious client to lie about either of those things, but in this case we're just shifting the exact same information to be sent in a custom header rather than in
|
Oh sorry, I just realized that I completely forgot how the authentication already works, d'oh. But well, if we're going to do it this way then I still think that both 1) it would make more sense to use the |
@kyrias thanks for the feedback. I totally agree that would be nice to use the |
@joewashear007 I'm confused as to what you mean. What would be the problem with supplying the same password through the |
My understanding is that the |
Using the |
I guess that is valid. I know Azure DevOps does that with their API, I just thought it was a weird way to do it. My implementation would allow that to be a third option pretty easily. |
That is a good point. I asked for it to be implemented more as a gating mechanism for controlling how widely header auth is accepted. Not realising/checking that login wasn't already enforcing csrf tokens (so it's not really widening exposure atm). I still think having them it's ideal. But it shouldn't have been required at this stage. |
Co-authored-by: DJ Mountney <[email protected]>
Sounds good, I think I might have mixed that up trying to get the TS compile to work. |
Bumps [tar](https://github.com/isaacs/node-tar) from 6.1.11 to 6.2.1. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.1.11...v6.2.1) --- updated-dependencies: - dependency-name: tar dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…albudget#334) * Allow setting accessValidForDays per bank This also stops taking `accessValidForDays` from the client since it's hardcoded there anyway and it's simpler to just have these per-bank values in one place. Signed-off-by: Johannes Löthberg <[email protected]> * Get the max allowed maxHistoricalDays value from the GoCardless API Signed-off-by: Johannes Löthberg <[email protected]> * Upgrade nordigen-node to 1.4.0 Contrary to the claims in the nordigen-node changelog 1.3.0 did *not* fix the missing support for passing in accessValidForDays, so we have to upgrade to 1.4.0 to actually get the fix. Signed-off-by: Johannes Löthberg <[email protected]> --------- Signed-off-by: Johannes Löthberg <[email protected]>
…BABEBB (actualbudget#345) * Add backup date field for GoCardless transactions with bank BNP_BE_GEBABEBB * release note
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @joewashear007
Merging the server side now
Would really appreciate it if you could start preparing a documentation PR regarding this for our June release.
* Added loginMethod config option Added a new config option loginMethod that can be password (default) or header for header authentication. This value is returned to the client to be used on the front end --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Johannes Löthberg <[email protected]> Co-authored-by: DJ Mountney <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Johannes Löthberg <[email protected]> Co-authored-by: Matt Fiddaman <[email protected]> Co-authored-by: DJ Mountney <[email protected]>
This is my attempt at an implementation of header authentication as referenced in issue actualbudget/actual#1092
Looking at how actual passwords work, the front end simply sends a password, so my take was to have my SSO proxy set a
X-ACTUAL-PASSWORD
header that has the value of the my Actual password. To enable this, I add a new envACTUAL_LOGIN_METHOD
which should have the value of "header".I updated the the
/account/login
endpoint to check this env and pass along the header value to existing login logic.I also added another property to the
/account/needs-bootstrap
that returns the property of the loginMethod. I am working on a second PR (actualbudget/actual#2362) that will adjust the login to automatically the call the/account/login
endpoint.Please let me know your thought and recommendations how I can improve and test this.
Joseph