search

bagetter / BaGetter

A lightweight NuGet and symbol server
https://www.bagetter.com
MIT License
166 stars 38 forks source link

Support for multiple tokens and permissions #147

Closed arkangel-dev closed 3 weeks ago

arkangel-dev commented 3 weeks ago

We use this package for hosting multiple packages across the company. The issue is that Bagetter currently supports a single API key for all the packages.

I think having multiple keys and permissions so that users are able to write to and maybe even read only their own packages, would be a useful feature

Regenhardt commented 3 weeks ago

This will be addressed in #142 when we get to it. It's not currently being worked on though so it may take a while. You are welcome to send a PR though to add a multi user system.

The idea would be to keep the current API key as a sort of admin key to make the user system optional, but allow users to use their own API key. We need an actual authorization concept for that though as there are more questions here, like do we have groups? Does a user have to explicitly share a package with another user, or do we just have a private/public toggle? How do we handle different users pushing the same package ID?

arkangel-dev commented 3 weeks ago

Im currently working on it. And I wasn't exactly talking about a private feed, but giving certain teams write access to a specific package. And we dont need users to have their own keys because package deployment will be handled via CICD pipelines

Regenhardt commented 3 weeks ago

Then there would be one account per team, right? One account (or admin/default API key) would be the owner, giving write permission to the teams that need write access.

Since this would be a big change, it has to work for all (or most) use cases. Especially though the default case where there is either 1) no authorization at all, or 2) an API key used to restrict uploads.