Open jrichardsz opened 2 years ago
This option is not implemented yet.
Could you point me to some classes to try it? Thanks
Hi you can embed BaGet into a new ASP.NET Core application:
Please note that BaGet's API is not stable yet and we will make breaking changes until we reach 1.0. If you go down this path, expect the need to react to breaking changes. Please let me know if you have additional questions or run into problems!
On my devops pipeline I just need:
According to my test, current baget server accomplish that.
Changes in the next release will accomplish that minimal requirements using a official Microsoft way?
Until you next release, how can I protect the dashboard with a simple login? Currently is public:
If it was java or nodejs it is really simple add a login.
Or do you point me to another nuget official implementation ready to use with docker?
Thanks for you valuable time.
Regards
I added a minimal basic authentication for web endpoints: / and /upload
https://github.com/loic-sharma/BaGet/compare/main...usil:feature-add-basic-auth?expand=1
Summary of the changes (in less than 80 chars)
BAGET_WEB_USER
and BAGET_WEB_PASSWORD
docker run
Browser test works
credentials prompt
reject bad credentials or cancel auth
but two unit test method fails:
Could you point me to how create a test for unauthorized facts?
Also to do it in a more elegant way:
Also if this feature proceed:
Hello,
It looks like your branch only adds authentication to the UI. This makes it a little harder to discover your packages, but, an attacker could still download your packages if they know NuGet's protocol. You'll also want to add authentication for BaGet's API: https://github.com/loic-sharma/BaGet/blob/5fc5072e24d6c374c63a9dfc0fd351c54047b23c/src/BaGet.Web/BaGetEndpointBuilder.cs#L10-L20
A possible solution could be to add a proxy that authenticates all requests to BaGet. For example see these:
Could you point me to how create a test for unauthorized facts
It looks like you're using the Request
and Response
properties. You will need to update the unit tests to mock them here:
Thanks
Today API keys only protect package uploads and deletions. You can browse and download packages without providing an API key.
By default the proxy should apply to all pages and API endpoints yup. But you can configure your proxy as you'd wish and leave unauthenticated endpoints if needed.
If proxy protects everything, is fine for me.
But If package uploads and deletions are protected with API keys, we need to disable the proxy for them to prevent double protection: proxy and apiKey. Am I correct?
Good question. I'm not sure what NuGet does in that scenario, could you try it and let us know your findings?
I reviewed this https://loic-sharma.github.io/BaGet/ and I cannot find an option to enable a simple login.
Thanks