Comments (6)
I think it would be great to have the ability to restrict access to only allowed users (list of allowed emails? allowed domains wildcard?), so you can have public facing but still secure unpub. And also hide frontend behind login.
Did your idea include something like this? If yes, I'm 100% interested.
I was also thinking about an option to use custom OAuth2 server instead of Google. What do you think about this? It would mainly cut the need of using Google account, but also allowed "IdP level access restriction" (when used with e.g. self hosted IdP).
from unpub.
Fine. There're some issues are also looking for solution about fine grain access control. Like #54 .
If you have a good plan, welcome to discuss it together.
from unpub.
I've had a look at this and my schedule and its going to be a large chunk of work which I can't commit to at the moment.
So sorry I'm going to have to step out of this one.
from unpub.
I think it would be great to have the ability to restrict access to only allowed users (list of allowed emails? allowed domains wildcard?), so you can have public facing but still secure unpub. And also hide frontend behind login.
Did your idea include something like this? If yes, I'm 100% interested.
I was also thinking about an option to use custom OAuth2 server instead of Google. What do you think about this? It would mainly cut the need of using Google account, but also allowed "IdP level access restriction" (when used with e.g. self hosted IdP).
Support for custom oauth2 servers is planned for unpub soon. When deploying the unpub service, pass in the OAuth2 configuration and use the unpub_auth tool to guide users finish the authentication process.
from unpub.
@talisk Thanks for the info!
In fact I've been chatting with the Dart team on their Discord about hosted Pub servers and one of my questions was about auth, like if they are maybe somehow planning to integrate custom OAuth2 into the Pub client or if users should use some_auth_app | dart pub token add xxx
...
And their idea for this is to have web UI with login where users can generate their tokens. I don't know if you are planning something like this or how much temporary is the unpub_auth
app. But I agree that this would be the best way.
Quote:
Regarding updating tokens:
https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md
If you read the repository specification it says that when authentication fails, you can return WWW-Authenticate header with a custom message.I would suggest creating a private pub server such that you do:
dart pub get .... authentication failed error message Custom message: Go to https://my-pubserver.com/manage-tokens to get a token
So create a custom message that says something like: "go to https://my-pubserver.com/manage-tokens to create a token"
So your custom pub server should just have a webinterface where users can:
- sign-in using whatever sign-in mechanism you want (consider supporting various SSO systems)
- Once signed in, the user can create / delete / activate / deactivate tokens
- User will then create a token, and copy it to dart pub token add
Tokens should have expiration of 30 days or 1 year, or just never expire.
Ideally, when creating a token, the user would give it a description, so they can remember what computer they've authenticated using said token.
Also here is an example how it works on GitLab.
You create new token, give it name, maybe expiration, username wouldn't be needed here since, and scopes - for unpub read
and write
should be enough.
Now the API would be accessible using only this token and OAuth2 token would be for webAPI.
And side note: unpub now isn't even checking the token audience, so any random Google token would also work on any random unpub instance.
I've been playing with this for a few afternoons, but unfortunately this is going to be rather big update which sadly I don't have time to finish, I wanted to add just simple auth middleware but I already ended up with twice as much code than I started with, haha
Next thing that should be done is to "convert" uploaders from email to user ID, because while on Google you cannot change your email, with other OAuth2 providers you can, so the only reliable identifier will be the ID.
I can however give you my unfinished code, if you want. My latest working version had auth middleware with OAuth2 token checking (Google, custom JWT and introspected opaque).
Then I wanted to add custom generated tokens for API routes and that's where I have ended.
I can however share my unfinished code. I don't know how far you are with it already, but you can use anything you want from there, if you like something from there; you don't have to, if you don't :) I didn't want to publish half baked temporary solutions, that's why I didn't PR the first OAuth2 working thing.
from unpub.
For now is there any way to make unpub hosted repo private? (private in sense that unauthorized user can't access). I didn't find any documentation about this.
from unpub.
Related Issues (20)
- 'String?' is nullable and 'Object' isn't. HOT 7
- Failing to publish packages to local pub server with error: DetailedApiRequestError(status: 400, message: No error details. HTTP status was: 400.) HOT 4
- Failing publish new package. HTTP Error
- SocketException: Failed to create server socket (OS Error: Address already in use, errno = 48), address = 0.0.0.0, port = 4000
- errmsg: command count requires authentication? HOT 1
- Is there a way to get an unlimited token duration ? HOT 1
- 文档很简陋,看完了还是不知道怎么用
- 执行unpub --database报错This is an unexpected error HOT 1
- Download button on Versions/Archive doesn't work HOT 3
- Failed to publish package using Melos HOT 4
- Reverse proxy support does not work for subpath HOT 3
- [Question] Error: Cannot use origin without a scheme: /api/packages/versions/newUpload HOT 1
- Automatic API documentation generation HOT 2
- [Feature] Provide your own OAuth provider HOT 2
- Failed when publishing a package [Incompatible mongodb version] HOT 2
- [400] /api/packages/versions/newUploadFinish?error=HandshakeException HOT 1
- Build fails due to missing pub binary
- It looks like you are trying to access MongoDB over HTTP on the native driver port. HOT 1
- Getting 500 internal server error in /webapi/packages HOT 1
- [400 错误]上传插件报错,Bad multipart ending 是什么原因
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unpub.