working on authentication

This commit is contained in:
vabene1111 2021-01-28 15:11:38 +01:00
parent 148324b37f
commit 6192277778
5 changed files with 120 additions and 83 deletions

View File

@ -48,8 +48,12 @@ SHOPPING_MIN_AUTOSYNC_INTERVAL=5
GUNICORN_MEDIA=0 GUNICORN_MEDIA=0
# allow authentication via reverse proxy (e.g. authelia), leave of if you dont know what you are doing # allow authentication via reverse proxy (e.g. authelia), leave of if you dont know what you are doing
# docs: https://github.com/vabene1111/recipes/tree/develop/docs/docker/nginx-proxy%20with%20proxy%20authentication # see docs for more information https://vabene1111.github.io/recipes/features/authentication/
# when unset: 0 (false) # when unset: 0 (false)
REVERSE_PROXY_AUTH=0 REVERSE_PROXY_AUTH=0
# allows you to setup o auth providers
# see docs for more information https://vabene1111.github.io/recipes/features/authentication/
# SOCIAL_PROVIDERS = allauth.socialaccount.providers.github, allauth.socialaccount.providers.nextcloud,

View File

@ -0,0 +1,108 @@
Besides the normal django username and password authentication this application supports multiple
methods of central account management and authentication.
## Allauth
[Django Allauth](https://django-allauth.readthedocs.io/en/latest/index.html) is an awesome project that
allows you to use a [huge number](https://django-allauth.readthedocs.io/en/latest/providers.html) of different
authentication providers.
They basically explain everything in their documentation, but the following is a short overview on how to get started.
!!! warning "Public Providers"
If you choose Google, Github or any other publicly available service as your authentication provider anyone
with an account on that site can create an account on your installation.
A new account does not have any permission but it is still **not recommended** to give public access to
your installation.
Choose a provider from the [list](https://django-allauth.readthedocs.io/en/latest/providers.html) and install it using the environment variable `SOCIAL_PROVIDERS` as shown
in the example below.
```ini
SOCIAL_PROVIDERS = allauth.socialaccount.providers.github, allauth.socialaccount.providers.nextcloud,
```
After that, use your superuser account to configure your authentication backend.
Open the admin page and do the following
1. Select `Sites` and create a new site with the URL of your installation.
2. Create a new `Social Application` with the required information as stated in the provider documentation of allauth.
3. Make sure to add your site to the list of available sites
Now the provider is configured and you should be able to sign up and sign in using the provider.
## Reverse Proxy Authentication
!!! Info "Community Contributed Tutorial"
This tutorial was provided by a community member. Since I do not use reverse proxy authentication, I cannot provide any
assistance should you choose to use this authentication method.
In order use proxy authentication you will need to:
1. Set `REVERSE_PROXY_AUTH=1` in the `.env` file
2. Update your nginx configuration file
Using any of the examples above will automatically generate a configuration file inside a docker volume.
Use `docker volume inspect recipes_nginx` to find out where your volume is stored.
!!! warning "Configuration File Volume"
The nginx config volume is generated when the container is first run. You can change the volume to a bind mount in the
warning `docker-compose.yml`, but then you will need to manually create it. See section `Volumes vs Bind Mounts` below
for more information.
The following example shows a configuration for Authelia:
```
server {
listen 80;
server_name localhost;
client_max_body_size 16M;
# serve static files
location /static/ {
alias /static/;
}
# serve media files
location /media/ {
alias /media/;
}
# Authelia endpoint for authentication requests
include /config/nginx/auth.conf;
# pass requests for dynamic content to gunicorn
location / {
proxy_set_header Host $host;
proxy_pass http://web_recipes:8080;
# Ensure Authelia is specifically required for this endpoint
# This line is important as it will return a 401 error if the user doesn't have access
include /config/nginx/authelia.conf;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header REMOTE-USER $user;
}
# Required to allow user to logout of authentication from within Recipes
# Ensure the <auth_endpoint> below is changed to actual the authentication url
location /accounts/logout/ {
return 301 http://<auth_endpoint>/logout
}
}
```
Please refer to the appropriate documentation on how to setup the reverse proxy, authentication, and networks.
Ensure users have been configured for Authelia, and that the endpoint recipes is pointed to is protected but
available.
There is a good guide to the other additional files that need to be added to your nginx set up at
the [Authelia Docs](https://docs.authelia.com/deployment/supported-proxies/nginx.html).
Remember to add the appropriate environment variables to `.env` file (example for nginx proxy):
```
VIRTUAL_HOST=
LETSENCRYPT_HOST=
LETSENCRYPT_EMAIL=
PROXY_HEADER=
```

View File

@ -290,84 +290,6 @@ to the host system and from there into the nginx container.
This is not really a clean solution, but I could not find any better alternative that provided the same amount of This is not really a clean solution, but I could not find any better alternative that provided the same amount of
usability. If you know of any better way, feel free to open an issue. usability. If you know of any better way, feel free to open an issue.
### Using Proxy Authentication
!!! Info "Community Contributed Tutorial"
This tutorial was provided by a community member. Since I do not use reverse proxy authentication, I cannot provide any
assistance should you choose to use this authentication method.
In order use proxy authentication you will need to:
1. Set `REVERSE_PROXY_AUTH=1` in the `.env` file
2. Update your nginx configuration file
Using any of the examples above will automatically generate a configuration file inside a docker volume.
Use `docker volume inspect recipes_nginx` to find out where your volume is stored.
!!! warning "Configuration File Volume"
The nginx config volume is generated when the container is first run. You can change the volume to a bind mount in the
warning `docker-compose.yml`, but then you will need to manually create it. See section `Volumes vs Bind Mounts` below
for more information.
The following example shows a configuration for Authelia:
```
server {
listen 80;
server_name localhost;
client_max_body_size 16M;
# serve static files
location /static/ {
alias /static/;
}
# serve media files
location /media/ {
alias /media/;
}
# Authelia endpoint for authentication requests
include /config/nginx/auth.conf;
# pass requests for dynamic content to gunicorn
location / {
proxy_set_header Host $host;
proxy_pass http://web_recipes:8080;
# Ensure Authelia is specifically required for this endpoint
# This line is important as it will return a 401 error if the user doesn't have access
include /config/nginx/authelia.conf;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header REMOTE-USER $user;
}
# Required to allow user to logout of authentication from within Recipes
# Ensure the <auth_endpoint> below is changed to actual the authentication url
location /accounts/logout/ {
return 301 http://<auth_endpoint>/logout
}
}
```
Please refer to the appropriate documentation on how to setup the reverse proxy, authentication, and networks.
Ensure users have been configured for Authelia, and that the endpoint recipes is pointed to is protected but
available.
There is a good guide to the other additional files that need to be added to your nginx set up at
the [Authelia Docs](https://docs.authelia.com/deployment/supported-proxies/nginx.html).
Remember to add the appropriate environment variables to `.env` file (example for nginx proxy):
```
VIRTUAL_HOST=
LETSENCRYPT_HOST=
LETSENCRYPT_EMAIL=
PROXY_HEADER=
```
### Volumes vs Bind Mounts ### Volumes vs Bind Mounts
Since I personally prefer to have my data where my `docker-compose.yml` resides, bind mounts are used in the example Since I personally prefer to have my data where my `docker-compose.yml` resides, bind mounts are used in the example

View File

@ -31,6 +31,7 @@ nav:
- Features: - Features:
- Tempalating: features/templating.md - Tempalating: features/templating.md
- Shopping: features/shopping.md - Shopping: features/shopping.md
- Authentication: features/authentication.md
- Storages and Sync: features/external_recipes.md - Storages and Sync: features/external_recipes.md
- System: - System:
- Updating: system/updating.md - Updating: system/updating.md

View File

@ -9,6 +9,7 @@ https://docs.djangoproject.com/en/2.0/topics/settings/
For the full list of settings and their values, see For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.0/ref/settings/ https://docs.djangoproject.com/en/2.0/ref/settings/
""" """
import ast
import os import os
import random import random
import string import string
@ -82,10 +83,14 @@ INSTALLED_APPS = [
'allauth', 'allauth',
'allauth.account', 'allauth.account',
'allauth.socialaccount', 'allauth.socialaccount',
'allauth.socialaccount.providers.github',
'cookbook.apps.CookbookConfig', 'cookbook.apps.CookbookConfig',
] ]
SOCIAL_PROVIDERS = os.getenv('SOCIAL_PROVIDERS').split(',') if os.getenv('SOCIAL_PROVIDERS') else []
INSTALLED_APPS = INSTALLED_APPS + SOCIAL_PROVIDERS
SOCIALACCOUNT_PROVIDERS = ast.literal_eval(os.getenv('SOCIALACCOUNT_PROVIDERS') if os.getenv('SOCIALACCOUNT_PROVIDERS') else '{}')
MIDDLEWARE = [ MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware', 'django.middleware.security.SecurityMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware', 'whitenoise.middleware.WhiteNoiseMiddleware',
@ -109,9 +114,6 @@ SITE_ID = int(os.getenv('ALLAUTH_SITE_ID', 1))
ACCOUNT_ADAPTER = 'cookbook.helper.AllAuthCustomAdapter' ACCOUNT_ADAPTER = 'cookbook.helper.AllAuthCustomAdapter'
# disable account creation using allauth
ACCOUNT_ALLOW_SIGNUPS = bool(int(os.getenv('ACCOUNT_ALLOW_SIGNUPS', False)))
if REVERSE_PROXY_AUTH: if REVERSE_PROXY_AUTH:
MIDDLEWARE.append('recipes.middleware.CustomRemoteUser') MIDDLEWARE.append('recipes.middleware.CustomRemoteUser')
AUTHENTICATION_BACKENDS.append('django.contrib.auth.backends.RemoteUserBackend') AUTHENTICATION_BACKENDS.append('django.contrib.auth.backends.RemoteUserBackend')