search

greenpau / caddy-security

πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”
https://authcrunch.com/
Apache License 2.0
1.42k stars 70 forks source link

breakfix: Cannot reach /settings endpoint even with authp/user role #358

Closed mjwhite closed 1 month ago

mjwhite commented 1 month ago

Describe the issue

I have caddy-security configured to authenticate a reverse proxy.

Password authentication works fine, but the /settings endpoint produces a page-not-found error even for authenticated users - I can't find any way to reach it.

Configuration

Caddyfile (hostnames etc modified):

{
        email name@example.com
        order authenticate before respond
        order authorize before reverse_proxy
        debug

        security {
                local identity store localdb {
                        realm local
                        path /var/lib/caddy/auth/users.json
                }

                authentication portal myportal {
                        enable identity store localdb
                        cookie domain example.com
                        cookie lifetime 86400

                        transform user {
                                match origin local
                                action add role authp/user
                                ui link "Portal Settings" /settings icon "las la-cog"
                        }
                }

                authorization policy user_policy {
                        set auth url https://auth.example.com/
                        allow roles authp/user
                }
        }
}

auth.example.com {
        authenticate with myportal
}

app.example.com {
        authorize with user_policy
        reverse_proxy https://127.0.0.1:1234 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

Version Information

http.authentication.hashes.bcrypt v2.8.4
http.authentication.providers.http_basic v2.8.4
http.handlers.authentication v2.8.4
tls.client_auth.verifier.leaf v2.8.4
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

When logged in, the /whois endpoint works and shows the user has both the authp/user and authp/guest roles. My understanding from the docs is this should allow access to the /settings endpoint, for password change, MFA setup etc.

The result is a "Page Not Found" error, same as shown for any non-existent authentication portal path.

greenpau commented 1 month ago

@mjwhite , the settings page is now relocated to β€œ/auth/profile/β€œ. Please see reference config here: https://github.com/greenpau/caddy-security/issues/353