feat: check for basic auth (#110) #129
Conversation
|
Looks great! Thanks for contributing this! |
|
If you have a bit of bandwidth, a great followup to this would be a wiki page covering authentication if you want to add some details about how to use this with a common reverse proxy. I'll be happy to edit / expand on whatever initial content you seed. |
|
Here is the guide, @garethgeorge feel free to add this to wiki: Basic authentication for SSOHTTP basic authentication can be used together with forward-auth to enable single-sign-on. Forward-auth passes request headers to a 3rd party software, most commonly an SSO identity provider service, which can add additional headers to the proxied service (Backrest), in this case adding All of the major web servers and proxies support forward-auth (Apache, Nginx, Traefik, Caddy, etc.), please consult their documentation on how to set it up. Example with AuthentikSet username and password attributesWhen using Authentik proxy provider for forward-auth, enable
Bind group or user to Backrest applicationIn the Authentik applications section, navigate to your Backrest application, and go to Choose the appropriate Group or User to bind to the application and click Set the username and password in group/user attributesAdd the previously chosen username and password attributes (with values from actual user in Backrest) in the group attributes section and click
Now when connecting to Backrest, Authentik will add HTTP-Basic authentication header with username and password from the group/user attributes and user should be automatically logged in. |
|
Hi, I'm evaluating relicensing Backrest as AGPL-3.0 . Thanks for contributing this fix! I'm wondering if you'd be willing to retroactively sign a CLA? Or grant more specific permission to retain the copyright for your PRs but relicense your changes in the codebase under AGPL-3.0 . I've become aware of a few SAAS looking at selling Backrest which goes philosophically against what I created it for (well they're welcome to -- but their platforms should be OSS and self-hostable re: the same freedoms Backrest provides!). |
|
Sure thing, AGPL sounds great. |
Added a simple check for HTTP Basic authorization. Seems to work fine with Authentik SSO passing the auth header.
This does not add
WWW-Authenticateheader since it normally expects to receive Bearer auth for JWT.I am not familiar with go, so I presume that
bcrypt.CompareHashAndPasswordtakes care of timing attacks and I don't have to addConstantTimeComparemyself. Please correct me if I am wrong.Maybe adding rate limiting for brute force detection would be a good idea. Should it be added only for Basic auth, or is it relevant for Bearer token as well?