Closed weaversam8 closed 3 months ago
That looks very good. I don't have time to set up a test environment until the weekend. I will then test and merge or let you know if I run into problems.
Awesome work @weaversam8 !
First test went fine!
I have added the commits in the branch feature/proxy-header-auth. This branch includes a minimal test example. A more serious example would be useful.
Some thoughts:
supported_features()/auth_supported_features()
was necessary.I just pulled and tested these changes. Fixed one tiny bug in 7b3098c but otherwise this looks great! I think this example is plenty sufficient to show how this is used, thanks for putting that together!
I rebased my branch off of main and pushed, so this PR should be good to merge (since it now contains your changes.)
Merged. Thank you for the work.
Will do a new release including this feature within the next two days.
This commit adds a new auth manager class for authorizing via proxy headers
ProxyHeaderAuth
which can be selected by setting theAUTH_METHOD
env var toPROXY_HEADER
This auth manager looks for the following headers in order to create a "pseudo-user" on each request. No users are committed to the SQLite database when using this auth manager.
X-OtterWiki-Name
- the name of the user to include on the Git commit when editing a pageX-OtterWiki-Email
- the email of the user to include on the Git commit when editing a pageX-OtterWiki-Permissions
- a comma separated list of permissions to grant to the userThe Docker
entrypoint.sh
script has been updated to pass theAUTH_METHOD
config option thru if set in the environment.has_permission(permission, user)
is now a method specific to each auth managerauth managers now implement a
supported_features()
method to detail which features they support (like whether an auth manager allows a user to change their name or password, or logout)the features object this method returns is present in all Jinja templates as the variable
auth_supported_features
the settings page was updated to prevent a user from editing their password and name if it is not supported by the current auth manager.
the dropdown menu present on all page was updated to hide the "logout" button if it is not supported by the current auth manager
The
test_settings.py
test was updated to tolerate extra whitespaceCC @redimp. I didn't make the headers configurable for now, and I'm sure this is a bit hacky, so interested to hear what you think.