Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework Authentication into separate services #1491

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Rework Authentication into separate services #1491

wants to merge 4 commits into from

Conversation

jtojnar
Copy link
Member

@jtojnar jtojnar commented Jul 10, 2024

This is a from-scratch rewrite, moving a bit closer to Single Responsibility Principle.

We split handling of credentials-in-config and always-open authentication systems.
In the future, we will be able implement more methods this way.

This was motivated by session code being called in constructor would break in CLI with Tracy strict mode.

Additionally:

  • Session verification now also checks if the credentials in the config did not change.
  • Requests from local IP now give full access to all operations, not just update.

@netlify Netlify
Copy link

netlify bot commented Jul 10, 2024
edited
Loading

Deploy Preview for selfoss canceled.

Name Link
🔨 Latest commit a36d706
🔍 Latest deploy log https://app.netlify.com/sites/selfoss/deploys/668f389690e46e00084d30ed

@jtojnar
helpers\View: Determine base URL lazily
140e937 
So that it does not try to access `$_SERVER['SERVER_NAME']` in CLI SAPI.

Though this is not sufficient, since the Authentication helper will try to access it strictly too.
@jtojnar
helpers\Session: Start session lazily
313f2a8 
So that we do not need to care about it in the Authentication rewrite later.
@jtojnar
Rework Authentication into separate services
a7e073c 
This is a from-scratch rewrite, moving a bit closer to Single Responsibility Principle.

We split handling of credentials-in-config and always-open authentication systems.
In the future, we will be able implement more methods this way.

This was motivated by session code being called in constructor,
which would break in CLI with Tracy strict mode.

For now, we are just porting the Authentication helper and controller.

Additionally:

- Session verification now also checks if the credentials in the config did not change.
- Requests from loopback IP address now give full access to all operations, not just update.
- IPv6 loopback address is recognized as well.
- Requests forwarded by proxies are filtered out since local reverse proxies might come from loopback as well.
@jtojnar
Port the rest to new Authentication system
a36d706
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jtojnar