Password / Authentication ?

[rwatts3]

Is it possible to lock down the notebook via password

[rgbkrk]

Right now I'm deploying this with nginx in the front, requiring authentication with an OAuth service. I'd be happy if we plugged in OAuth.

[rwatts3]

Ah ok, yes I can see possibly a component, with maybe a store configuration holding the auth state.
We could lock down the route rendering or initial component to render based on successful authentication.

[betatim]

Following up on #242 (comment) and auth.

What do you think of a setup where a direct link to a file works but listing requires you to be auth'ed and have the right privileges. I was thinking of a structure like:

anonymous/
  235235.ipynb
  438436.ipynb
betatim/
  foobar.ipynb
  blahblahcar.ipynb
rgbkrk/
  more-woah.ipynb
  2345.ipynb

If you can auth as betatim then at http://example.com/view/betatim/ you would see the directory listing of betatim/ but for http://example.com/view/rgbkrk/ you would just get a 404. No one can auth as anonymous, so there would be no listing the contents.

If someone visited http://example.com/view/betatim/foobar.ipynb they would get the notebook, no matter who they can/can't auth as. This would let me easily share stuff with others by sending them the direct link. The problem with this is that if you know that I like to name my notebooks after colours you can brute force your way to them.

An alternative could be to store in the notebook's metadata field a key that tells commuter if this is a public or private notebook. If someone who isn't auth'ed as the user of that directory tries to request it, commuter checks that field before serving.

Yet another way would be to have betatim/public/ and only stuff in here can be accessed without auth.

Overall I am not sure I really like any of these approaches for sharing. What I want is that purely from the URL we can determine if the requestor is allowed to see it or not, without the need of storing access info somewhere.