Granular SSO: private upload, public download

[HipyCas]

I've made some progresses, thought I don't consider this "fixed" (comment)

Hello everyone! First of all, I want to congratulate everyone for this project, I've been looking for something like this for a while and this just works amazingly well. I was first going to publish this as kind of a bug for my specific case, but I though I could just generalize to my actual main objective, so hope the issue is all good. And yes I know it is a pretty long issue, but I wanted to explain as good as I can my issue and request.

Context

Currently, I am trying to implement a SSO in a server I've set up, where I am also setting up Send. So, here is my use case:

Both the SSO and Send would be under subdomains, the SSO under auth.server.com and send.server.com (domains are just illustrative). For the SSO I'm running Authentik, and set a Proxy Provider to secure Send. This Proxy Provider is pretty simple, it checks if the user is signed in the SSO outpost (i.e. in auth.server.com) and if it is it allows Nginx to do the proxy_pass to send, if not it redirects to auth.server.com so you can authenticate, bringing you back to send.server.com after authentication. This works perfectly, but I'm looking to configure in a way I wasn't able to, explained below.

What I would like to do

I would like to require authentication only for upload, but allowing anyone to download. My first attempt was to exclude the /download and derived paths from the authentication proxy, allowing anyone to access them. That kinda works, I say kinda because this is what I get:

What I guess is happening here is the following:

• The user successfully loads the HTML in /download/<...> 😄
• The page does a request to somewhere in send.server.com that is not a path that starts with /download, therefore Nginx requests authentication and thigs just crash 😭

I thought that maybe it was trying to request some file, so I tried to configure Nginx to bypass authentication on all routes that may be a file, but I had no luck either.

The solutions I thought of

Maybe just document it

I could try to do this myself now that I've discovered how to actually do it, but I would need some guidance as to where this would be (probably with the other reverse proxy docs)

The (I believe) quickest and simplest solution is to just provide somewhere in the documentation which paths the /download/<...> pages request, so we can configure Nginx to exclude them. It's not specially comfortable for whoever has to configure Nginx there and looks a bit odd as solution, but I mean it would work (also requires probably LOTS of maintenance).

Rewrite the paths

Althought this could still be a nice thign to do, I have already figured out which paths I have to allow as I describe in the comment

The first solution I thought of is setting the paths for everything that the /download/<..> pages request to start with a common path segment, for example /download-assets or /download/assets. That would make it so easy to exclude from the authentication proxy and is more of a long-term solution, thought it will probably take a lot of work and effort.

My favourite: SAML (or other SSO-compatible auth method)

Before posting this, I've looked at issue #32. First of all, developing that would already be a good amount of job and incredibly great, but it doesn't completely enable SSO. It would be really great if, alongside this, Send provided the option to disable the internal auth GUI and allow SAML, LDAP or other authentication. If that seems too fancy, Navidrome for example provides a pretty basic proxy-based authentication (which is like the one I was trying to implement with Send as explained above). There is just one important difference (at least for my case and what I believe was also commented on #32) from other services implementing this kind of login: download should be exempt of this authentication. I know this may take some time to be developed, but I would be very happy if this actually pulled through :D.

---

That's all, thanks a lot for your work and dedication! Feel free to ask for any more details or if I haven't explained myself well enough.

[HipyCas]

Lucky of me, I stumbled accross this issue's comment in GitLab by pure chance. I saw that he had to allow a /api/ws location for something about websockets (tbh I haven't read the full issue) and so I discovered that it turns out that fixes part of my errors.

There where other errors, which I looked at them with the console inspector and turned out to be fonts in woff2, the manifest file and SVGs (the latest for some reason didn't show up in the DevTools). It turns out that fixes everything!

And when looking at this, I saw another problem with this implementation: when you click the Try Send button, it redirects to send.server.com bypassing auth. This could be fixed with simply making it a native routing with page load instead of a JS SPA-like routing (I'll try doing that with Nginx, thought that is only a temporary patch). But actually the best solution would be the implementation of the SSO-compatible user authentication system in Send, which could check if the user is logged in before actually loading the upload page and allowing them to upload.

[sarce666]

hello

i was looking exactly for the same
we use cloudflare to hide the upload, and loke you we opened the download , but like you we found out the the /download had reference to the root folder

did you succed to fix this ?

thanks

[Kidoly]

Same Here

[anon243]

Hey @HipyCas could you help me with authentik? I have set up the following, but it's not working:

Proxy Provider
default-authentication-flow (Welcome to authentik!)
default-provider-authorization-implicit-consent (Authorize Application)

External host: http://localhost:8080
Internal host: http://localhost:8080

Authentik: http://localhost:9000

Outpost
Integration: Local Docker connection
Type: Proxy
Applications: web app

[anon243]

@HipyCas I'm looking to achieve exactly the same as you.