-
-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add possibility for 'user-auth' authorization #812
base: main
Are you sure you want to change the base?
Conversation
This looks great, thank you. Given that it is an auth change, I will test this thoroughly myself, but I would highly appreciate some unit tests around this. Check out |
I would expect nothing less ;-)
I will definitely give this a try, but as I said, this will at least take some days. Maybe one question about performance: |
server/server.yml
Outdated
# Otherwise the authentication can be bypassed by a crafted header. | ||
# | ||
# user-header: x-forwarded-user | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this header should only be allowed if behind-proxy: true
is set.
server/server.go
Outdated
|
||
// extractUserHader pulls the username of an already authenticated user from the configured header | ||
func extractUserHeader(r *http.Request, h string) (username string) { | ||
return readParam(r, h) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took me a while, but this is a giant security flaw, becausereadParam
also accepts query params and not just headers. So this must be just r.Header.Get()
I refined your code in #816. Note that your commit are not in there, because the ntfy binary (30MB) would be in the history. If you'd like your commit to be in there, feel free to force-push an updated branch, or open a new PR. You and the original author will get credit in the changelog either way though. Please review #816 to see if this would work for you. I think it's a nice addition. Question: What auth system are you using? |
My code will only check the value if the config value is set. It's a single if statement. It'll be fine. |
I would go for a client certificate, as the number of clients is very small (just me ;-P) |
Fair warning: The ntfy Android client does not work with custom certs though. |
@Nanowires I am a little confused now. I thought that this would enable the use of Authelia or Keycloak. Am I wrong? |
As far as I understand, this allows any kind of authentication, as long as the proxy sends the user defined header with the associated user. |
e932d68
to
5f0c30a
Compare
I tested this with Authelia and Caddy tonight. Here's the config: Caddy
ntfy
Here are some things I found:
There might be more issues, but for at least these reasons, I don't think this is ready to merge right away. I did not test anything from the Android app. I'm not even sure how I could sign into Authelia from the ntfy app... |
Another PR for #601
Mostly copied from #602
Same as the original author: I'm not particularly familiar with go, or the ntfy code base, I haven't tried to run this code.
If I have time I will try to add tests in the next few days.
I'm also not sure about the way to trace here (e.g. in case that the user-header is set and the client sent one, but the user is not found)