-
-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic http preauthentication #360
Basic http preauthentication #360
Conversation
$user = $this->userManager->createUser(); | ||
/* @var PackagistUser $user */ | ||
$user->setUsername($userName); | ||
$user->setPlainPassword($user->getUsername()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems a really bad idea
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the http authentication is enabled, the password is only used when you want to change your email address.
Can you suggest an alternative solution?
I was thinking about putting condictions on the code to not display the password field on the edit profile page, and into the validator in the controller, since in the http authentication usecase password has no meaning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@stof still no thoughts on this? |
Closing as I'd rather have people use https://toranproxy.com than private packagist since the latter will evolve without care for non-packagist.org users of the code. |
Provides an optional basic http authentication.
It can be used to host private packagist service behind any kind of http authentication (htpasswd, apache with mod_ldap, etc).
This modification solves #265 without having bigger modifications on the current running instances.
The two new options are preauthenticated_provider.enabled and preauthenticated_provider.default_email_domain.
With the enabled flag you can enable http authentication listener and user provider. If you leave it false, no further modifications required.
If enabled, the userprovider is being put behind a userproviderproxy object, which proxies all the method calls to the userprovider instance, but when no user is found, it creates one.
The default_email_domain is used to create an email address for the new user as email is not nullable.