search

astubenbord / paperless-mobile

An (almost) fully fledged mobile paperless client.
GNU General Public License v3.0
609 stars 31 forks source link

[Feature]: support authorization via auth proxy #387

Closed Jipok closed 3 months ago

Jipok commented 4 months ago

Description

There are various authorizing reverse proxies. For example: https://github.com/oauth2-proxy/oauth2-proxy https://github.com/Jipok/Jauth They take care of authentication, authorization, registration, etc. They are easy to support for the developer(server part) - all that is needed is to process the configured header(most often this is Remote-User or X-Forwarded-User) where the username is specified. They are also convenient for the user, since there is no need to remember/store extra login/password pairs, provide a single entry point for their own services and increase security.

And paperless-ngx support this: https://docs.paperless-ngx.com/configuration/#PAPERLESS_ENABLE_HTTP_REMOTE_USER

I ask to add support for this method to the application. I tried logging in through certificates and it’s even more inconvenient than login + password. And the method of transferring and storing the key raises doubts that it is more secure than a regular login + password.

To implement it, you need to show a web page(WebView) to the user when receiving 401 from the server , and after the server returns 200 (or another code, but not 401), then take all the session cookies and use them when interacting with the server.

Jipok commented 4 months ago

This is what Jauth looks like in the browser:

https://github.com/astubenbord/paperless-mobile/assets/25588359/edddfb73-fb52-4a07-ae34-64f7a36f87b6

Jipok commented 4 months ago

@astubenbord I have given you temporary access for testing to my paperless instance: https://p.ateam.undo.it You can login using your ssh keys: https://github.com/astubenbord.keys

brilthor commented 3 months ago

this likely relates to https://github.com/astubenbord/paperless-mobile/issues/405 where a browser would be used for login, however in this case the cookie set by the auth proxy would need to be held onto

astubenbord commented 3 months ago

I'll also close this in favor of #374. Should be the same topic, right? If not, feel free to reopen.

Jipok commented 3 months ago

@astubenbord It seems that what @TheRealGramdalf ask you to do there is much more difficult to implement and maintain than what I or @PrzemekSkw ask. If I understand correctly, the paperles server will provide a web interface for logging in via OpenID. In this case, the webview approach can also help with this and you won't have to add and maintain additional functionality.