Is there an option to protect the web dashboard with a login?

[jrichardsz]

I reviewed this https://loic-sharma.github.io/BaGet/ and I cannot find an option to enable a simple login.

Thanks

[yekanchi]

This option is not implemented yet.

[jrichardsz]

Could you point me to some classes to try it? Thanks

[loic-sharma]

Hi you can embed BaGet into a new ASP.NET Core application:

• Basic example - This example just exposes BaGet's HTTP API but does not include the UI. It adds BaGet's services, chooses the database and storage providers, and then add BaGet's routes.
• More advanced example - This is similar to the previous example but adds the UI and authentication + authorization, plus custom routes for custom logic.

Please note that BaGet's API is not stable yet and we will make breaking changes until we reach 1.0. If you go down this path, expect the need to react to breaking changes. Please let me know if you have additional questions or run into problems!

[jrichardsz]

On my devops pipeline I just need:

• build a nuget package and push it to nuget server using any kind of official authentication
• download the uploaded nuget package using any kind of official authentication
• configure the developer ide (visual studio) in read-only mode, just to download nuget packages using any kind of official authentication
• open the web dashboard and view the nuget packages using any kind of official authentication

According to my test, current baget server accomplish that.

Changes in the next release will accomplish that minimal requirements using a official Microsoft way?

Until you next release, how can I protect the dashboard with a simple login? Currently is public:

If it was java or nodejs it is really simple add a login.

Or do you point me to another nuget official implementation ready to use with docker?

Thanks for you valuable time.

Regards

[jrichardsz]

I added a minimal basic authentication for web endpoints: / and /upload

https://github.com/loic-sharma/BaGet/compare/main...usil:feature-add-basic-auth?expand=1

Summary of the changes (in less than 80 chars)

• Add basic authentication to the web endpoints: / and /upload
• Credentials are environment variables BAGET_WEB_USER and BAGET_WEB_PASSWORD
• If these variables does not exist, baget web endpoints are public (default behavior)
• These variables could be set on .env or -e parameter for docker run

Browser test works

credentials prompt

reject bad credentials or cancel auth

but two unit test method fails:

Could you point me to how create a test for unauthorized facts?

Also to do it in a more elegant way:

• I tried with Razor Pages authorization unlucky
• I tried with a middleware unlucky
• I tried with a custom login form unlucky
• I tried with ActionExecutingContext unlucky. Is ignored

Also if this feature proceed:

• we need to add a force brute attack protection.
• we can design the security as a plugin to enable future google and microsoft oauth2 login.

[loic-sharma]

Hello,

It looks like your branch only adds authentication to the UI. This makes it a little harder to discover your packages, but, an attacker could still download your packages if they know NuGet's protocol. You'll also want to add authentication for BaGet's API: https://github.com/loic-sharma/BaGet/blob/5fc5072e24d6c374c63a9dfc0fd351c54047b23c/src/BaGet.Web/BaGetEndpointBuilder.cs#L10-L20

A possible solution could be to add a proxy that authenticates all requests to BaGet. For example see these:

• https://github.com/loic-sharma/BaGet/issues/36#issuecomment-542175296
• https://gist.github.com/DutchCaveman/4287549fc36dace5ac780ce023ddb05a

Could you point me to how create a test for unauthorized facts

It looks like you're using the Request and Response properties. You will need to update the unit tests to mock them here:

https://github.com/loic-sharma/BaGet/blob/5fc5072e24d6c374c63a9dfc0fd351c54047b23c/tests/BaGet.Web.Tests/Pages/IndexModelFacts.cs#L26

[jrichardsz]

1. If someone knows the nuget protocol (internal http endpoints), ApiKey offers a protection. Am I correct?
2. I will try the proxy. Just one question, the proxy applies for ui pages and internal http endpoints?

Thanks

[loic-sharma]

Today API keys only protect package uploads and deletions. You can browse and download packages without providing an API key.

By default the proxy should apply to all pages and API endpoints yup. But you can configure your proxy as you'd wish and leave unauthenticated endpoints if needed.

[jrichardsz]

If proxy protects everything, is fine for me.

But If package uploads and deletions are protected with API keys, we need to disable the proxy for them to prevent double protection: proxy and apiKey. Am I correct?

[loic-sharma]

Good question. I'm not sure what NuGet does in that scenario, could you try it and let us know your findings?