Proof of concept for reverse-proxy auth

[weaversam8]

• This commit adds a new auth manager class for authorizing via proxy headers ProxyHeaderAuth which can be selected by setting the AUTH_METHOD env var to PROXY_HEADER

  • This auth manager looks for the following headers in order to create a "pseudo-user" on each request. No users are committed to the SQLite database when using this auth manager.

    • X-OtterWiki-Name - the name of the user to include on the Git commit when editing a page
    • X-OtterWiki-Email - the email of the user to include on the Git commit when editing a page
    • X-OtterWiki-Permissions - a comma separated list of permissions to grant to the user

  • The Docker entrypoint.sh script has been updated to pass the AUTH_METHOD config option thru if set in the environment.

• has_permission(permission, user) is now a method specific to each auth manager

• auth managers now implement a supported_features() method to detail which features they support (like whether an auth manager allows a user to change their name or password, or logout)

  • the features object this method returns is present in all Jinja templates as the variable auth_supported_features

  • the settings page was updated to prevent a user from editing their password and name if it is not supported by the current auth manager.

  • the dropdown menu present on all page was updated to hide the "logout" button if it is not supported by the current auth manager

• The test_settings.py test was updated to tolerate extra whitespace

CC @redimp. I didn't make the headers configurable for now, and I'm sure this is a bit hacky, so interested to hear what you think.

[redimp]

That looks very good. I don't have time to set up a test environment until the weekend. I will then test and merge or let you know if I run into problems.

Awesome work @weaversam8 !

[redimp]

First test went fine!

I have added the commits in the branch feature/proxy-header-auth. This branch includes a minimal test example. A more serious example would be useful.

Some thoughts:

• I like the implementation of ProxyHeaderAuth, minimal but sufficient.
• Something like supported_features()/auth_supported_features() was necessary.
• Having the header names fixed is in my opinion okay, all services that I know are able to define the headers they set. The comma seperated list of permissions should also be easy to implement.

[weaversam8]

I just pulled and tested these changes. Fixed one tiny bug in 7b3098c but otherwise this looks great! I think this example is plenty sufficient to show how this is used, thanks for putting that together!

I rebased my branch off of main and pushed, so this PR should be good to merge (since it now contains your changes.)

[redimp]

Merged. Thank you for the work.

Will do a new release including this feature within the next two days.