-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticate with REMOTE_USER #3402
Conversation
This doesn't seem very secure? All you need is someone's email, then you can login as them? |
Which is what's leading me to believe I've done this wrong? |
I guess the point of this header is that it can only be set by the internal proxy. This middleware should definitely not be enabled in Cachet by default, and should be turned on only by those who are using Cachet behind such a proxy. |
What if we use the apiToken with this header as well instead of the email if the header is truly needed? |
There are two general ways to do this:
The first option requires you to set up the authenticating web server in a particular way. If the proxy and the app are co-located on the same machine, the app must run on 127.0.0.1 at a minimum. If not, more work is required (e.g. you must authenticate the proxy to Cachet or use layer 4 network protections). The second option requires that the proxy and app are co-located and is generally more secure. Clients have no ability to set environment variables on the runtime process. Only the web server / runtime launcher can do this. Although it's Python, you can read the Django documentation which explains some of these issues (which are of course not language specific). An excerpt:
|
@jcmcken are you able to test this? :) |
Ping @jcmcken! |
@jcmcken I've fixed the conflicts, if you can please give this another go? |
I'm going to merge this so we can move on with other bits. We can always look at creating accounts later on. |
Closes #3243
Right, so I've not written any tests for this yet, but I want to know if this is the right way of doing things since I've not got a method of testing.
Ping @jcmcken