wiltonsr / ldapAuth

An open source Traefik Middleware that enables authentication via LDAP in a similar way to Traefik Enterprise
https://plugins.traefik.io/plugins/628c9eb7ffc0cd18356a979c/ldap-auth
Apache License 2.0
117 stars 10 forks source link

ldapAuth should have some level of caching #20

Closed evan-chaney closed 2 years ago

evan-chaney commented 2 years ago

I have a Kibana server behind Traefik (v2.9.1) with the ldapAuth plugin (v0.0.17) and I can see 14 authentication requests via the ldapAuth logs just by accessing / on the server. The browser seems to cache the credentials, or perhaps that is happening in ldapAuth but it does show 14 requests being sent to my LDAP server and all of them are authenticated successfully. This isn't a fail-and-retry scenario. I was able to replicate this with a simpler web service just by refreshing the page it authenticates against LDAP in the log even though I don't get a credential prompt in the browser. Is there some way to cache an authentication for an hour or any other configurable amount of time?

wiltonsr commented 2 years ago

Hi @evan-chaney,

Unfortunately, this behavior comes from the browser's cache.

This StackOverflow question details more about this.

wiltonsr commented 2 years ago

We can create a parameter for cacheTimeout and read these headers:

X-Forwarded-Host:[whoami.localhost] 
X-Forwarded-Port:[80] 
X-Forwarded-Proto:[HTTP]

to create a 302 redirect in the format: X-Forwarded-Proto://logout@X-Forwarded-Host:X-Forwarded-Port that will force the browser to request password again.

wiltonsr commented 2 years ago

Better than this, we already have a RequireAuth method that requests the user to authenticate again:

https://github.com/wiltonsr/ldapAuth/blob/546a5c5305d1013da1c7f85d1d5c8062dd6ff7de/ldapauth.go#L263-L275

Just need to validate the cacheTimeout.

wiltonsr commented 2 years ago

Hello, @evan-chaney

I created a new branch add-session, could you test this and report if there is any problem?

The CacheTimeout config param is set to 300s by default, but you can change it to fit your needs.

With this, only one request will be made to LDAP server while the session is valid.

evan-chaney commented 2 years ago

Hello @wiltonsr,

First off thanks for your quick work, this is great stuff! I'm running Traefik in Docker stack and I don't think I can specify a branch for the plugin, only tags. Any chance you could tag the branch or otherwise have it show up as a version on plugins.traefik.io?

wiltonsr commented 2 years ago

I created v0.0.18-beta.

Just wait for refresh on plugins.traefik.io

evan-chaney commented 2 years ago

Ok I got a chance to play with this at work this morning. It seems awesome! No problems over here and things may even be faster. Thanks for your extremely quick response and turnaround!

wiltonsr commented 2 years ago

Glad to know.

I will improve this feature, cause we only read the session cookie, I need to add some level of cryptography to prevent fake/malicious requests to be validated.

For now, you could keep using the v0.0.18-beta release.