bouncepaw
commented
1 year ago Caddy sounds fun. I guess one can already use this system, if they set up the wiki to be anonymous and set up this portal. It's like Basic Auth advanced replacement, right?
Would the following be enough to implement the feature?:
- Add a toggle in configuration: “Enable Caddy portal”.
- If there is that username header, authorize with that username.
- Deny the usual login procedure (ie
/loginand/register) would do nothing.
CrazyPython
Hi,
I'm using caddy-security to authenticate requests: https://authp.github.io/
Caddy is a reverse-proxying web server like NGINX. It automatically sets up HTTPS transparently. Caddy-security is a Caddy plugin that allows creating an auth portal that supports email-based registration as well as OAuth providers like Google or Discord and passwordless authentication via email and SMS.
Once authenticated, caddy-security can pass information downstream: https://authp.github.io/docs/authorize/headers
Because caddy-security has verified the user, there is no need for Mycorrhiza itself to store any authentication credentials.
I would like to add Mycorrhiza to add support for header-based authentication compatible with caddy-security, as a third option to no auth and password auth. To implement support, a user should be logged into the username corresponding to X-Token-Subject, and if an account does not exist, it should be created.
You could point Mycorrizha users to using caddy-security as the default method, so that you don't need to implement any of this yourself. Caddy can be set up behind or in front of an existing web server and is a statically linked Go executable.
I'm not a Caddy developer, I just think this is the easiest and most ergonomic way to add security to Mycorrhiza.