Protect sites with user authentication #245
Comments
mtiller
changed the title
|
I have a question here (for @gempain?). Does the API do its own authentication checking? It looks like the API checks authentication for users but the |
|
@mtiller you're right, Caddy doesn't do the user token checks, it only the site protection as those credentials are static. API token authentication and authorization is fully delegated to the express app, which allows us to do awesome checks like allowing a token to access a single endpoint or have an expiration date. To be more specific, we have the authorizeApiReq express middleware that validates your API token and extracts the endpoints you gave it access to. This middleware loads your api token and user data and stores them in |
|
I don't know what to do about this ticket. It looks like this wouldn't be an easy thing to add because of this dichotomy in authentication schemes. But I did a tiny bit of research and it seems to me (admittedly a total novice with https://github.com/greenpau/caddy-security/blob/main/README.md |
|
I think Caddy offers an option to authenticate with JWT tokens and you can provide a custom endpoint to call for checking these tokens. I need to think deeper about what impacts this would have. |
It would be nice to have the option to protect the sites with effectively the same authentication that protects the API and the UI. What I mean is, if I configure Gitlab as my authentication provider (to log into Meli), it would be nice to have the option to use exactly the same authentication the protect the sites.
This isn't super important for us right now because we run Meli on prem. But if we run it in public cloud infrastructure, many of the sites we would be pushing are meant for internal use and the viewers of the web sites are the same set of people as the "users".
Just a thought.
The text was updated successfully, but these errors were encountered: