Open mtiller opened 2 years ago
I have a question here (for @gempain?). Does the API do its own authentication checking? It looks like the API checks authentication for users but the caddy
configuration has checks as well but these appear to be only for the "password protection" checks. Is this correct? I'm hoping not because I was hoping to just add an option to have caddy
slip in a verification of user tokens as a guard if so configured (to address this issue). But I'm a bit worried that caddy
doesn't actually pay any attention to user tokens. Oui ou non?
@mtiller you're right, Caddy doesn't do the user token checks, it only the site protection as those credentials are static. API token authentication and authorization is fully delegated to the express app, which allows us to do awesome checks like allowing a token to access a single endpoint or have an expiration date. To be more specific, we have the authorizeApiReq express middleware that validates your API token and extracts the endpoints you gave it access to. This middleware loads your api token and user data and stores them in req.apiToken
and req.user
which are then used by the apiGuard
. This guard is automatically added to API endpoints registered via apiEndpoint
when an apiScope
is provided, as for example done here.
I don't know what to do about this ticket. It looks like this wouldn't be an easy thing to add because of this dichotomy in authentication schemes. But I did a tiny bit of research and it seems to me (admittedly a total novice with caddy
) that something like this might open up a nice set of options:
https://github.com/greenpau/caddy-security/blob/main/README.md
I think Caddy offers an option to authenticate with JWT tokens and you can provide a custom endpoint to call for checking these tokens. I need to think deeper about what impacts this would have.
It would be nice to have the option to protect the sites with effectively the same authentication that protects the API and the UI. What I mean is, if I configure Gitlab as my authentication provider (to log into Meli), it would be nice to have the option to use exactly the same authentication the protect the sites.
This isn't super important for us right now because we run Meli on prem. But if we run it in public cloud infrastructure, many of the sites we would be pushing are meant for internal use and the viewers of the web sites are the same set of people as the "users".
Just a thought.