search

hedgedoc / cli

A tiny CLI for HedgeDoc
GNU Affero General Public License v3.0
150 stars 37 forks source link

Add support for authentification and history #9

Closed Fumesover closed 5 years ago

Fumesover commented 5 years ago

I corrected the spelling issues, but I'm not sure that leaving cookie in a static file by default is a good idea @pirate

fbartels commented 5 years ago

@Fumesover then maybe use mktemp to avoid conflicts on multi user systems?

Fumesover commented 5 years ago

@fbartels and how do we save the path ? However, using the username can be the solution (ex: /tmp/codimd-cookies-$USER.txt)

fbartels commented 5 years ago

yes, you would still need to have a config file in ~ which would have the path to the cookie. not really elegant indeed.

btw. I did a checkout of your repo and for me the login fails. I setup a user with a less complex password, but even here it fails. the file ~/.codimd-key.conf is not created by running codimd-cli

13:50 $ env CODIMD_SERVER='https://codimd.9wd.eu' bash -x bin/codimd login test test1234
++ basename bin/codimd
+ codi_cli=codimd
+ help_str='
Options:
    $ codimd import /path/to/your/content.md
    qhmNmwmxSmK1H2oJmkKBQQ       # returns note id on success

    $ codimd publish qhmNmwmxSmK1H2oJmkKBQQ
    /s/S1ok9no3f                 # returns published note url

    $ codimd export --pdf qhmNmwmxSmK1H2oJmkKBQQ output.pdf
    $ codimd export --md qhmNmwmxSmK1H2oJmkKBQQ output.md
    $ codimd export --html qhmNmwmxSmK1H2oJmkKBQQ output.html
    $ codimd export --slides qhmNmwmxSmK1H2oJmkKBQQ output.zip

    $ codimd login email@example.net p4sW0rD
    $ codimd profile
    You are logged in as email with id x[...]x.
    $ codimd history
    ID                      Name
    0nAp3YRyTlyQ-N3N7lCk-w  Note_1
    qhmNmwmxSmK1H2oJmkKBQQ  Note_2
    $ codimd delete 0nAp3YRyTlyQ-N3N7lCk-w
    $ codimd logout

Example:
    $ env CODIMD_SERVER='\''https://codimd.example.com'\'' codimd import /path/to/your/content.md
'
+ CODIMD_SERVER=https://codimd.9wd.eu
+ CODIMD_COOKIES_FILE='~/.codimd-key.conf'
+ [[ login == \i\m\p\o\r\t ]]
+ [[ login == \p\u\b\l\i\s\h ]]
+ [[ login == \e\x\p\o\r\t ]]
+ [[ login == \l\o\g\i\n ]]
+ authenticate test test1234
+ [[ -z test ]]
+ [[ -z test1234 ]]
+ curl -c '~/.codimd-key.conf' -XPOST -d 'email=test&password=test1234' https://codimd.9wd.eu/login
++ is_authenticated
+++ curl -b '~/.codimd-key.conf' https://codimd.9wd.eu/me
++ STATUS='{"status":"forbidden"}'
+++ echo '{"status":"forbidden"}'
+++ jq -r .status
++ '[' forbidden == ok ']'
++ echo 1
+ [[ -n 1 ]]
+ echo 'Logged in https://codimd.9wd.eu as test successfully.'
Logged in https://codimd.9wd.eu as test successfully.
Fumesover commented 5 years ago

@fbartels using $HOME instead of ~ seems to correct it

fbartels commented 5 years ago

now that file is actually filled, but login still fails:

14:21 $ env CODIMD_SERVER='https://codimd.9wd.eu' bash -x bin/codimd login test test1234
++ basename bin/codimd
+ codi_cli=codimd
+ help_str='
Options:
    $ codimd import /path/to/your/content.md
    qhmNmwmxSmK1H2oJmkKBQQ       # returns note id on success

    $ codimd publish qhmNmwmxSmK1H2oJmkKBQQ
    /s/S1ok9no3f                 # returns published note url

    $ codimd export --pdf qhmNmwmxSmK1H2oJmkKBQQ output.pdf
    $ codimd export --md qhmNmwmxSmK1H2oJmkKBQQ output.md
    $ codimd export --html qhmNmwmxSmK1H2oJmkKBQQ output.html
    $ codimd export --slides qhmNmwmxSmK1H2oJmkKBQQ output.zip

    $ codimd login email@example.net p4sW0rD
    $ codimd profile
    You are logged in as email with id x[...]x.
    $ codimd history
    ID                      Name
    0nAp3YRyTlyQ-N3N7lCk-w  Note_1
    qhmNmwmxSmK1H2oJmkKBQQ  Note_2
    $ codimd delete 0nAp3YRyTlyQ-N3N7lCk-w
    $ codimd logout

Example:
    $ env CODIMD_SERVER='\''https://codimd.example.com'\'' codimd import /path/to/your/content.md
'
+ CODIMD_SERVER=https://codimd.9wd.eu
+ CODIMD_COOKIES_FILE=/home/fbartels/.codimd-key.conf
+ [[ login == \i\m\p\o\r\t ]]
+ [[ login == \p\u\b\l\i\s\h ]]
+ [[ login == \e\x\p\o\r\t ]]
+ [[ login == \l\o\g\i\n ]]
+ authenticate test test1234
+ [[ -z test ]]
+ [[ -z test1234 ]]
+ curl -c /home/fbartels/.codimd-key.conf -XPOST -d 'email=test&password=test1234' https://codimd.9wd.eu/login
++ is_authenticated
+++ curl -b /home/fbartels/.codimd-key.conf https://codimd.9wd.eu/me
++ STATUS='{"status":"forbidden"}'
+++ echo '{"status":"forbidden"}'
+++ jq -r .status
++ '[' forbidden == ok ']'
++ echo 1
+ [[ -n 1 ]]
+ echo 'Logged in https://codimd.9wd.eu as test successfully.'
Logged in https://codimd.9wd.eu as test successfully.
Fumesover commented 5 years ago

Oh ! It's because you are using ldap @fbartels, my code only works for email login actually But replacing email by username in line 79 and /login by /auth/ldap in line 80 make the trick Maybe it will be possible to add something like --ldap option for this kind of login

fbartels commented 5 years ago

Yes, it is indeed an ldap backend. I did not expect that this will lead to different auth endpoints.

Maybe there could be an automatic fallback?

Fumesover commented 5 years ago

This is a 3rd party integration, I don't think integrating it as an automatic fallback is relevant

pirate commented 5 years ago

I agree that leaving a cookie in a local file is less ideal than somewhere like a keychain, but I also don't think it's the end of the world, as it's a pattern used by other tools for sensitive keys.

E.g. It's common to store AWS keys in ~/.aws/credentials and SSH private keys in ~/.ssh/id_rsa.key, and those are arguably much more critical from a security standpoint than a codimd cookie.

As long as the permissions limit the cookie file to only the current user (I think we should add that to the bash script), I'm ok with it.

fbartels commented 5 years ago

yes, looking at the code again, a better option would be to have a dedicated "ldap" parameter and a dedicated auth function for it.

since all the other stuff is just checking with the stored cookie if the session is still valid you could have multiple auth functions

https://github.com/Fumesover/codimd-cli/pull/1

Fumesover commented 5 years ago

Now there is support for email & ldap and it will be easy to add other protocols

Sorry @fbartels, I hadn't seen your PR, and I think making it modular as I did would be easier to maintain

ccoenen commented 5 years ago

Having a text file somewhere in your filesystem is also exactly what browsers were doing for years. Today Firefox and Chrome store this in an SQLite database - still in your profile folder. No difference at all with regard to security. (Firefox: Profile directory cookies.sqlite / Chrome: User Data/Default/cookies (no extension) if you want to take a look)

Fumesover commented 5 years ago

Okay so actually the default is ~/.codimd-key.conf @pirate is that okay for merge ?

ccoenen commented 5 years ago

I would like to propose something like the XDG Base Directory Spec, in this case ~/.config/codimd-cli/key.conf ($XDG_CONFIG_HOME (many unixoids) or %APPDATA% (Win)).

Base reason is, that I don't particularly like all that clutter in my home directory.

pirate commented 5 years ago

Yeah, I'd be fine with either of ~/.config/codimd-cli/api-key.conf, ~/.config/codimd-cli/key.conf, or ~/.codimd-key.conf as the default.

Fumesover commented 5 years ago

So, now the default is ~/.config/codimd-cli/key.conf