Requiring Forms authentication to list/download packages

[jonstelly]

I'm trying to secure a gallery (both the user-visible website and the api) and will not be able to use windows authentication. I'd like to limit package listing and download to the accounts that people can register for on the site. I tried setting things up as forms authentication with the following configuration entry, but after filling in my account info on the /users/account/logon page and hitting submit, I get redirected back to the logon page.

<authentication mode="Forms">
  <forms loginUrl="/users/account/Logon"/>
</authentication>
<authorization>
  <deny users="?" />
</authorization>

From a quick look at the gallery code, the LogOn() method on AuthenticationController uses SignIn() as the method to take the posted information, which doesn't seem to play nicely with Forms authentication. If I rename the SignIn() method to LogOn(), Forms authentication and requiring a logon works for the website, but api access (via the Visual Studio Extension) never prompts me to log-on, it just sits there spinning.

I haven't tracked down exactly what's going on with the Visual Studio Extension yet, but I wanted to check to see if there's an easier option to turn off anonymous listing/downloading of packages that I just didn't see documented before I dug into the issue further.

[Itron-CHA-Soft]

Hi, I have the same issue, I have activated the Windows authentication and disable the Anonymous authentication. I can't now access to the website. When I try to access to the home page, I'm redirecting to the LogOn page which redirect me to the LogOn page and so on. I need to allow only authentificated users to acces to the package page and to download/list package through the API. Please can you help me with this issue.

[ghost]

Itron-CHA-Soft, is you redirecting from LogOn form to this again? i got it too. this happens because page get api request to server url http://localhost/NuGet/api/v2/service-alert?cachebust=1404894103822 which get re-redirecting page to LogOn form and again...

[ghost]

Also for authentificate user to access feed from VS, you must set apiKey for source, like had writen nuget setapikey <API key> options

[Itron-CHA-Soft]

My problem is that when I disable the Anonymous authentication and enable Basic or Windows Authentication in IIS, the website doesn't work. I just want to make my NuGetGallery really private and only allow some people in my company to list/retrieve NuGet packages. Is it possible?

[kobynet]

Having the same issue here, is it possible to require user/pass for consuming feed?

[DeluxZ]

+1

[yishaigalatzer]

This issue has been stale for over a year (super bad on our side :( ). Since I see no traffic I assume you figured it out. If not please re-open

[holidaycottages]

I would like to know if this is possible?

[yishaigalatzer]

I don't think there is a way to make vs do it without authoring a credential provider, credential providers are not available to the public yet.

You could do a basic auth instead

[yishaigalatzer]

Didn't read the whole thread :( we will get back with a sample

[maartenba]

The gallery has not been implemented for this, but with some effort it can be added.

To prevent access to the website side of things (e.g. search/package details page, ...), add an[Authorize] attribute to the controller actions you wish to limit access to authenticated users.

To prevent access to the API, add an [Authorize] attribute to the OData controller classes. This will unfortunately redirect to the forms authentication URL, which the NuGet client won't like. To overcome that, you'll have to implement a basic authentication filter for Web API (e.g. http://stevescodingblog.co.uk/basic-authentication-with-asp-net-webapi/) and apply it to the OData controller classes as well. This attribute could make use of the AuthenticationService class to validate basic auth username/password.

[brendan-mccoy]

@maartenba I'm trying to implement this into my solution, but am having some difficulty, mostly due to my unfamiliarity with ASP.NET. When trying to list packages on my local NuGetGallery (after attempting these changes), nuget says

WARNING: Could not connect to the feed specified at 'https://nuget.localtest.me/api/v2'. Please verify that the package source (located in the Package Manager Settings) is valid and ensure your network connectivity.

Applying the [Authorize] attribute to website functions I want is simple enough, but my troubles come with implementing BasicAuthentication so that access to the API could be authenticated.

Firstly, I was wondering which classes in particular I should apply the filters to. Are the three OData classes in NuGetGallery.Controllers all? Or should I also include NuGetGallery.OData.NuGetODataController?

I used the blogpost you linked to, and changed

IPasswordTransform transform = DependencyResolver.Current.GetService<IPasswordTransform>();
IRepository<User> userRepository = DependencyResolver.Current.GetService<IRepository<User>>();

User user = userRepository.All(u => u.Username == username && u.PasswordHash == transform.Transform(password)).SingleOrDefault();

to

AuthenticationService auth = DependencyResolver.Current.GetService<AuthenticationService>();
var user = auth.Authenticate(username, password).Result.User;

If this sort of thing is something you think should be on SO instead, please let me know.

[maartenba]

You could apply it to the base NuGetODataController so that the other OData classes inherit from it.

Regarding the SSL error: make sure to visit https://nuget.localtest.me in the browser and add the certificate to your trusted certificates. Not having this certificate trusted means VS will refuse connecting to it :)

[rdeaeranda]

@maartenba, I'm trying to implement this but having issues when connecting via VS Nuget package manager and Nuget command line utility. I don't see the authorisation header in Fiddler. So response is just a redirection to the login page. Any clue of what I have missed?

[maartenba]

Sounds like IIS is hijacking the auth and redirecting to the login page.

[rdeaeranda]

Thanks for your reply. Below is the request and response I found in the Fiddler;

GET http://abc-win7-362:93/api/v2/FindPackagesById()?id='xunit.runner.visualstudio' HTTP/1.1 Accept: application/atom+xml, application/xml user-agent: NuGet Client V3/3.4.4.0 (Microsoft Windows NT 6.1.7601 Service Pack 1, VS Enterprise/14.0) Host: abc-win7-362:93 Cookie: __RequestVerificationToken=0-z_T07xnqP5FdiVquuSDbxAX_LFmbj9GXyIHksPOwlC8L30jXOof4coTYp91dxDgp3331dJ66b4_6jGO4stOusNoXdJUGITdl2_YRPDqPw1 Accept-Encoding: gzip, deflate

HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Type: text/html Expires: -1 Location: http://abc-win7-362:93/users/account/LogOn?ReturnUrl=%2Fapi%2Fv2%2FFindPackagesById%2528%2529%3Fid%3D%27xunit.runner.visualstudio%27 Server: Microsoft-IIS/7.5 X-CorrelationId: 32cf7522-790b-45ad-9105-e3ee3aadcc38 WWW-Authenticate: ApiKey realm="abc-win7-362" X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Date: Mon, 15 Aug 2016 21:55:02 GMT Content-Length: 78

An API key must be provided in the 'X-NuGet-ApiKey' header to use this service

Any idea by looking on this? I have set the apikey using setapikey command. Sorry if I'm asking a silly question. I'm little new to these .net authentication. Great help. Thanks.

[maartenba]

Definitely Forms Auth kicking in and hijacking this. You may want to try and skip the redirect (e.g. https://gyorgybalassy.wordpress.com/2013/12/10/suppressing-forms-authentcation-redirects/)

[rdeaeranda]

Thanks, yeah that the the thing happening. But I tried the above suggestion by adding a global.asax file. but still it gets the same 302 response. I debug the code, owin response in ApplyResponseChallengeAsync() in ApiKeyAuthenticationHandler gets the correct status 401, after that its 302.

[maartenba]

Definitely IIS hijacking the redirect. Can you check the ApiKeyAuthenticationHandler? We use an explicit 403 there to make the authentication trigger.

[DoCode]

+++1 Incredible, can it really be true that 2016 nobody has a functioning NuGet Gallery WITH authentication running!? When really NOT, then please PING me and we start a new fork for this! ::: Beautiful 3rd advent! :::