Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use as oauth reverse proxy for non ASGI apps #45

Closed
ananis25 opened this issue Sep 10, 2019 · 4 comments

Comments

@ananis25
Copy link
Contributor

commented Sep 10, 2019

Use-case:
Adding authentication to a non-python app running behind Nginx. Nginx provides an auth_request directive to authenticate all requests against an external service (link).

Change:
I tweaked the code here a tiny bit to use this app as the auth service. Nginx only accepts 200 and 4xx from authentication subrequests so we return a 401 when the user is not logged in and make Nginx redirect them to the login screen provided by this app.

@@ -109,11 +112,17 @@ class GitHubAuth:
         if scope.get("path") == self.callback_path:
             return await self.auth_callback(scope, receive, send)

+        login_path = "/-/login"
+        if scope.get("path") == login_path:
+            return await self.handle_require_auth(scope, receive, send)
+
         auth = self.auth_from_scope(scope)
         if auth or (not self.require_auth):
             await self.app(dict(scope, auth=auth), receive, send)
         else:
-            await self.handle_require_auth(scope, receive, send)
+            if self.non_asgi_proxy:
+                await send_html(send, 'redirect to login screen', status=401)
+            else:
+                await self.handle_require_auth(scope, receive, send)

Nginx config:

  location /login/ {
      auth_request off;      
      proxy_pass http://datasette-auth-github/;
  }

  location @errorlogin {
      return 302 /login/-/login;
  }

  location /secret/ {
      auth_request /login/;
      proxy_pass http://node-app/;
      error_page 401 = @errorlogin;
  }

Does this use-case make sense for the project? Happy to make a quick PR for it.
P.S. Thank you for writing this! I had difficulty grasping other python libraries doing OAuth.

@simonw

This comment has been minimized.

Copy link
Owner

commented Oct 4, 2019

This is a fascinating idea! I'd love to see a pull request for this.

I'm not too keen on the non_asgi_proxy name here. Maybe this is something we could enable by redesigning the code very slightly to make it easy to create a subclass that implements the required behaviour.

@simonw

This comment has been minimized.

Copy link
Owner

commented Oct 5, 2019

After thinking about this a bit more, I don't think it's appropriate as a feature for datasette-auth-github itself - but it would make a fantastic standalone mini web application which loads datasette-auth-github as a dependency. I'd be very happy to make changes to this library that would enable that application to be built (if it's not possible to build it using the library as it stands today).

@ananis25

This comment has been minimized.

Copy link
Contributor Author

commented Oct 13, 2019

Thanks Simon, it makes sense since datasette-auth-github is primarily an authentication plugin for datasette.

A small refactoring lets me subclass the GithubAuth class to fit nginx compatible authentication - gist link. Could you please take a look at the related PR #49 ?

Would it be okay with you if I create a new repository for the oauth application with datasette-auth-github as a dependency?

@simonw

This comment has been minimized.

Copy link
Owner

commented Oct 14, 2019

Yes absolutely - go ahead with that new repo.

Thanks for the fix in #49 - I just landed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.