Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when logging in: user can see all other users & package indexes #8

Open
BenjaminYde opened this issue Jun 20, 2023 · 1 comment
Open

when logging in: user can see all other users & package indexes #8

BenjaminYde opened this issue Jun 20, 2023 · 1 comment

Comments

@BenjaminYde
Copy link

BenjaminYde commented Jun 20, 2023
edited
Loading

I am using devpi-lockdown and logging in with user and pass using nginx works successfully.
The problem i have is that when i login, the user can see all other users and package indexes.
Is this normal behaviour?
I want the user only to see their own account with all the package indexes below.
Maybe a quicker feature to implement is to say for what users the web-view can be loaded?
(for example only root can see this)

The users i have:

  • root/pypi
  • user-a/mono
  • user-b/mono

For example when user-a logs in, they can see root/pypi and users-b while they only should be able to see user-a with the index mono.

versions:

devpi-lockdown-2.0.0
devpi-server-6.9.0
devpi-web-4.2.0

my nginx.conf:

# HTTP server redirects all traffic to HTTPS
server {
    listen 80;
    listen [::]:80;

    server_name _;

    # this redirects to the login view when not logged in
    recursive_error_pages on;
    error_page 401 = @error401;
    location @error401 {
        return 302 /+login?goto_url=$request_uri;
    }

    # lock down everything by default
    auth_request /+authcheck;

    # the location to check whether the provided infos authenticate the user
    location = /+authcheck {
        internal;

        proxy_pass_request_body off;

        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-outside-url $scheme://$http_host;  # copy the value from your existing configuration
        proxy_set_header X-Real-IP $remote_addr;  # copy the value from your existing configuration

        proxy_pass http://devpi:3141;
    }

    location / {
        # workaround to pass all requests to / through to the named location below
        error_page 418 = @proxy_to_app;
        return 418;
    }

    location @proxy_to_app {
        proxy_pass http://devpi:3141;
        # the $x_scheme variable is only required if nginx is behind another
        # proxy (often the case in container environments),
        # if your nginx is the only proxy server, the $scheme variable can be
        # used and the map $http_x_forwarded_proto $x_scheme above be removed
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-outside-url $scheme://$http_host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
@fschulze
Copy link
Contributor

The devpi-lockdown package is meant to lockout outsiders. The architecture of devpi-server makes it very hard to do proper user separation, as there are several possible sources of information leakage, like the search in devpi-web. It is possible to add some more restrictions with hooks in a plugin, but I never released that as a package, as it will never meet expectations for everyone and there are too many possible surprises. See devpi/devpi#824 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fschulze @BenjaminYde