-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simple authentication + gallery bulk selection #347
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Another big PR with a million things included, who could have seen this coming? 🙃
Authentication
We've added support for multiple forms of authentication, which can be enabled with the
ROMM_AUTH_ENABLED
environment variable. The hybrid authentication middleware includes support for sessions,Basic
authorization header, andBearer
OAuth2 access tokens.ROMM_AUTH_USERNAME
andROMM_AUTH_PASSWORD
should be passed in to create the default admin userROMM_AUTH_SECRET_KEY
is required and can be generated withopenssl rand -hex 32
Sessions
When the
/login
endpoint is called with valid credentials, asession_id
is generated, stored as a cookie and sent to the browser. The same token is used to create a cache entry in Redis (or in-memory if Redis is disabled) which maps the token to the user. This way no sensitive information is stored on the client. Note that only Redis-backed sessions will survive a container restart, as in-memory sessions are wiped. Sessions currently do not expire, but this is something we can if/when Redis becomes required.Basic authentication
Requests can be made to protected API endpoints with an authorization header. The token is the base64 encoded value of
username:password
.curl https://romm_url/api/platforms -H 'Authorization: Basic YWRtaW46aHVudGVyMg=='
OAuth
Along with the above forms of authentication, we've added an endpoint to generate authentication tokens (
/api/token
). Authenticating with that endpoint with return anaccess_token
valid for 15 minutes, and arefresh_token
valid for 2 weeks which allows you to generate a new access token.The endpoint accepts a username, password and a list of scopes, in the format
read:roms write:roms read:platforms...
. The list of scopes and endpoints are available to browse via Swagger UI or Redoc (see next section).Note that the password grant type is the only one supported at the moment.
OpenAPI
As part of this work, our API endpoints are now OpenAPI spec-compliant. The raw JSON spec can be accessed from
/openapi.json
. We've also enabled access to Swagger UI at/api/docs
and Redoc as/api/redoc
.Mutli-select
Rolled into this change is the ability to multi and mass-select ROMs in the library. Selected ROMs can be mass-deleted, force rescanned to fetch the latest info from IGDB, and downloaded concurrently. Shift-select and CTRL-select are both supported for easy selection.
Redis
Lastly, we've added the option to enable experimental support for Redis with the
ENABLE_EXPERIMENTAL_REDIS
environment variable. If enabled, a worker will start u, listed to all 3 queues (low, default, high) and process tasks as they're enqueued. Enabling Redis will have the following benefits:We plan to build more feature (like scheduled tasks) backed by Redis in the near future. If you'd like to try out Redis, remember to set
REDIS_HOST
andREDIS_PORT
to the correct values for your setup.Closes #24
Closes #50