use as oauth reverse proxy for non ASGI apps

[ananis25]

Use-case:
Adding authentication to a non-python app running behind Nginx. Nginx provides an auth_request directive to authenticate all requests against an external service (link).

Change:
I tweaked the code here a tiny bit to use this app as the auth service. Nginx only accepts 200 and 4xx from authentication subrequests so we return a 401 when the user is not logged in and make Nginx redirect them to the login screen provided by this app.

@@ -109,11 +112,17 @@ class GitHubAuth:
         if scope.get("path") == self.callback_path:
             return await self.auth_callback(scope, receive, send)

+        login_path = "/-/login"
+        if scope.get("path") == login_path:
+            return await self.handle_require_auth(scope, receive, send)
+
         auth = self.auth_from_scope(scope)
         if auth or (not self.require_auth):
             await self.app(dict(scope, auth=auth), receive, send)
         else:
-            await self.handle_require_auth(scope, receive, send)
+            if self.non_asgi_proxy:
+                await send_html(send, 'redirect to login screen', status=401)
+            else:
+                await self.handle_require_auth(scope, receive, send)

Nginx config:

  location /login/ {
      auth_request off;      
      proxy_pass http://datasette-auth-github/;
  }

  location @errorlogin {
      return 302 /login/-/login;
  }

  location /secret/ {
      auth_request /login/;
      proxy_pass http://node-app/;
      error_page 401 = @errorlogin;
  }

Does this use-case make sense for the project? Happy to make a quick PR for it.
P.S. Thank you for writing this! I had difficulty grasping other python libraries doing OAuth.

[simonw]

This is a fascinating idea! I'd love to see a pull request for this.

I'm not too keen on the non_asgi_proxy name here. Maybe this is something we could enable by redesigning the code very slightly to make it easy to create a subclass that implements the required behaviour.

[simonw]

After thinking about this a bit more, I don't think it's appropriate as a feature for datasette-auth-github itself - but it would make a fantastic standalone mini web application which loads datasette-auth-github as a dependency. I'd be very happy to make changes to this library that would enable that application to be built (if it's not possible to build it using the library as it stands today).

[ananis25]

Thanks Simon, it makes sense since datasette-auth-github is primarily an authentication plugin for datasette.

A small refactoring lets me subclass the GithubAuth class to fit nginx compatible authentication - gist link. Could you please take a look at the related PR #49 ?

Would it be okay with you if I create a new repository for the oauth application with datasette-auth-github as a dependency?

[simonw]

Yes absolutely - go ahead with that new repo.

Thanks for the fix in #49 - I just landed it.