Closed vdye closed 1 year ago
@derrickstolee @mjcheetham I think I've addressed all of the feedback so far. The PR has changed a fair amount since the first round of reviews (added integration tests, manpage docs, and better in-code documentation for pkg/auth
; also, changed AuthResult
pretty substantially), so please let me know if you have any questions or otherwise think something should be changed! šāāļø
Closes #41
This pull request lays the foundation for specialized auth configuration in the bundle server:
AuthResult
type, which the web server will use to relay the output of a custom auth function as an HTTP response--auth-config
type and initial schema; in this commit, it doesn't do much of anything (since there aren't any validmode
s yet). Also introduce theAuthMiddleware
interface, which will be used in both built-in modes and the basis for plugin modes.fixed
built-in auth mode, which validates a request's Basic header against a static username/password pair.fixed
auth modeplugin
auth mode, which allows a user to load (at runtime) a custom implementation ofAuthMiddleware
This is a pretty major feature (or the start of one, at least), so I'd really appreciate an extra reviewer focus on making sure the architecture is sound and there aren't any glaring security issues (other than what's already mentioned in the docs, i.e. "don't run untrusted plugins").