[Feature Request] Allow whitelist paths

[captncraig]

Consider a case where I want to protect all paths except for the home page (/) and the login page.

I want to do something like:

jwt {
  path /
  redirect /login
  allow user myname 
}

But this also protects the pages I want to be open. My only option is to explicitly define paths I want protected, which could be a bit of a pain. I feel like there should be a way to handle this across all directives, but I have not seen one.

What if I could do:

jwt {
  path /
  except /
  except /login
  redirect /login
  allow user myname 
}

Or something like that?

/ is always an odd case, since for except it needs to be an exact match, not a subpath. Thoughts?

[BTBurke]

Yeah that's probably a good addition. I'll have to think about how best to handle it.

Protecting everything from the root on down and specifying the exceptions could work. Ideally, path and except should have similiar semantics. You'd want all child paths to have the same configuration as the parent, like:

jwt {
    path /protected
    except /public
}

Which would make /protected/secret require the JWT and /public/anything be open. To make that work with protecting everything starting at the root domain makes the actual root an inderminate special case, but you could add a specific directive like:

jwt {
    path /
    except /public
    allowroot true
}

So that you're specifically allowing root access and you can handle that special case explicitly. Would that work?

[BTBurke]

This is implemented in version 2.3. Thanks for the idea.

[captncraig]

Thanks!