Pode's inbuilt user file authentication works cross-platform, relying just on a JSON file with an array of valid users.
This authenticator can only be used with Basic and Form. Custom is also supported, but a username and password must be supplied.
To use user file authentication you can use the Add-PodeAuthUserFile
function. The following example will validate a user's credentials, supplied via a web-form, against the default user file at ./users.json
from the server's root:
Start-PodeServer {
New-PodeAuthScheme -Form | Add-PodeAuthUserFile -Name 'Login'
}
The default users file is ./users.json
at the root of the server. You can supply a custom file path using the -FilePath
parameter.
The users file is a JSON array of user objects, each user object must contain the following (metadata is optional):
Name | Type | Description |
---|---|---|
Username | string | The user's username |
Name | string | The user's fullname |
string | The user's email address | |
Password | string | Either a SHA256 or an HMAC SHA256 of the user's password |
Groups | string[] | An array of groups which the the user is a member |
Metadata | psobject | Custom metadata for the user |
For example:
[
{
"Name": "Joe Bloggs",
"Username": "j.bloggs",
"Email": "j.bloggs@company.com",
"Password": "XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=",
"Groups": [
"Admin",
"Developer"
],
"Metadata": {
"Created": "2001-01-01"
}
}
]
The password is normally a standard SHA256 hash, but Pode does support HMAC SHA256 hashes as well. If you use an HMAC hash, you can specify the secret used as follows:
Start-PodeServer {
New-PodeAuthScheme -Form | Add-PodeAuthUserFile -Name 'Login' -HmacSecret '<some-secret>'
}
The User object returned, and accessible on Routes, and other functions via the web event's $e.Auth.User
, will contain the following information:
Name | Type | Description |
---|---|---|
Username | string | The user's username |
Name | string | The user's fullname |
string | The user's email address | |
Groups | string[] | An array of groups which the the user is a member |
Metadata | psobject | Custom metadata for the user |
Such as:
Add-PodeRoute -Method Get -Path '/info' -Authentication 'Login' -ScriptBlock {
param($e)
Write-Host $e.Auth.User.Username
}
You can supply a list of group names to validate that users are a member of them. If you supply multiple group names, the user only needs to be a of one of the groups. You can supply the list of groups to the function's -Groups
parameter as an array - the list is not case-sensitive:
Start-PodeServer {
New-PodeAuthScheme -Form | Add-PodeAuthUserFile -Name 'Login' -Groups @('admins', 'devops')
}
If an user being authenticated is not in one of these groups, then a 401 is returned.
You can supply a list of authorised usernames to validate a user's access, after credentials are validated, and instead of of checking AD groups. You can supply the list of usernames to the function's -Users
parameter as an array - the list is not case-sensitive:
Start-PodeServer {
New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'Login' -Users @('jsnow', 'rsanchez')
}
If an user being authenticated is not one of the allowed users, then a 401 is returned.