search

szabodanika / microbin

A secure, configurable file-sharing and URL shortening web app written in Rust.
https://microbin.eu
BSD 3-Clause "New" or "Revised" License
2.65k stars 163 forks source link

Pasta list with authentication #45

Closed zodiacg closed 1 year ago

zodiacg commented 2 years ago

Currently the status of pasta list is either open (for everyone that has access to see and remove pastas if private pasta is not enabled) or closed (nobody can see anything at all).

I'm hoping for a mode that only the pasta list requires authentication. Or, if private pasta is enabled, one can see all the private pastas after authentication. Basically this sets an "administrator" role who can manage all the pastas.

I understand that microbin is not meant for public usage. But I think it will be useful if someone wants to manage all the pastas without turning on/off list and private and restarting the instance.

abyss commented 1 year ago

@zodiacg I think one way of achieving this (and my plan personally) is to use a reverse proxy to protect the /pastalist/ and /remove/ endpoints with Authentication.

I think deferring authentication to the reverse proxy might be the most appropriate way to keep the project simple - authentication can be messy.

zodiacg commented 1 year ago

@zodiacg I think one way of achieving this (and my plan personally) is to use a reverse proxy to protect the /pastalist/ and /remove/ endpoints with Authentication.

I think deferring authentication to the reverse proxy might be the most appropriate way to keep the project simple - authentication can be messy.

That's a good suggestion. I didn't realize there are specific endpoints for these operations. I got an Authelia instance and I will use that for authentication. Yes it's more elegant indeed!

szabodanika commented 1 year ago

I think deferring authentication to the reverse proxy might be the most appropriate way to keep the project simple - authentication can be messy.

I agree your way is definitely very safe and probably not too difficult to configure, although the project already uses http basic authentication, I think optionally only wrapping one or two paths in that would be relatively simple, but honestly I think the basic auth should be replaced with something a little neater at one point - firefox on iOS keeps crashing with this enabled and Safari keeps asking for the password again and again. Basic auth was a very lazy and temporary implementation that we can't really keep much longer, not as the only option anyway. I will not target this for 1.2.0 for now, let's get the small annoyances out of the way and then we can focus on larger issues like this and the sqlite database.