New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document + example how to implement a custom login #145
Comments
I have done on my fork: https://github.com/boehs/timetagger |
@boehs I don't see where. Was it on a branch that has been deleted or something? |
Where did it go!? I'm so confused, I deployed it to my server by git cloning.... In any case, it should be there now |
Gentlemen, I want to run an instance of TT under nginx + docker environment and have some auth for only me. Let me share this info, hope it will be useful.
Auth file is created with a htpasswd tool and contains only one user.
Next, I copied run.py from timetagger cloned repo into conf/timetagger and did these modifications:
So nginx passes authorization header that will contain 'Basic xxxx', and that value may be parsed (this is base64-value that has user:password text), but I just saved that entire header value and check it on request. |
I don't see anything on your repo that is different from what is on this repo about making a custom login. Also in regards to the above post, I'm not sure what needs to be put into the modified run.py file. My presumption is that anything that was a - line is in the modified file, and the + is what is in the original. |
EDIT: I have been successful in getting it to authenticate against Authelia. The login process is now automatic. Here's what I added to the run.py file under webtoken_for_localhost:
I also added this to the api_handler section and it properly deauths the user, and in the event they authenticated against Authelia first for a different domain it will show "Unauthorized" with the login button to take care of that scenario as well.
I also changed my nginx config for the site under sites-available (I'm running nginx) to do the following: auth_request_set $target_url https://timetaggerurl.example.com/timetagger/login; This will force Authelia to always redirect to the login page of the Timetagger instance, thus ensuring that a direct re-auth with Authelia will immediately reset the web-token regardless of the previously logged in user. This is makes it a seamless login process to the end user without much modification of the Timetagger application itself. |
Update: The above method breaks the API configuration, here is the error I am seeing when trying to use the API:
If I remove the following:
The user is still properly de-auth'd but it doesn't present a login button, however the API then works as expected. So for now, I'm going to leave that bit commented out so it will work and if you have any insight as to what needs corrected I'm wiling to try it. |
The keyerror means that the 'remote-user' field is not present in the header. You could replace that line with AUTH_USER = request.headers.get('remote-user', None) and maybe test |
What I did is this: async def api_handler(request, path):
# Some endpoints do not require authentication
if not path and request.method == "GET":
return 200, {}, "See https://timetagger.readthedocs.io"
elif path == "webtoken_for_localhost":
return await webtoken_for_localhost(request)
# Authenticate and get user db
try:
auth_info, db = await authenticate(request)
if 'x-authentik-username' in request.headers and auth_info["username"] != request.headers['x-authentik-username']:
raise AuthException("User changed")
except AuthException as err:
return 401, {}, f"Please login again: {err}"
# Handle endpoints that require authentication
return await api_handler_triage(request, path, auth_info, db)
async def webtoken_for_localhost(request):
# Establish that we can trust the client
if 'x-authentik-username' not in request.headers:
return 403, {}, "forbidden: must be on authenticated"
remoteUser = request.headers['x-authentik-username']
if not remoteUser:
return 403, {}, "forbidden: must be on authenticated"
# Return the webtoken for the default user
token = await get_webtoken_unsafe(remoteUser)
return 200, {}, dict(token=token) It also makes sure, that the authenticated user is still the logged-in user. |
No clue what the heck is going on, you can see the diff here main...boehs:main |
Timatagger now has basic authentication builtin! |
@atomicangel, this was super helpful, thanks!
With this set up, do you still need to click on the 'submit' button on the login page? So far I can get a web token when signing in with Authelia, but still need to login with a blank username and password - it will log in with the username from Authelia though. I have the redirect set in the run.py file for now. I'm using Nginx Proxy Manager so it's not exactly clear to me how to set the Nginx redirect. |
For self-hosters.
The text was updated successfully, but these errors were encountered: