cgiacofei/TandoorRecipes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changed var-name in env, info in docs and processing in settings

Browse Source 
Also added a deprecation warning and changed the structure of the authentication.md

Signed-off-by: Henning Bopp <henning.bopp@gmail.com>
This commit is contained in:
Henning Bopp 2023-08-16 21:19:38 +02:00
parent ba361a8a27
commit f5fb4e563d
No known key found for this signature in database
GPG Key ID: 34D28E2D0B14BF1D
3 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.env.template
View File

@ -100,10 +100,12 @@ GUNICORN_MEDIA=0
# prefix used for account related emails (default "[Tandoor Recipes] ") # prefix used for account related emails (default "[Tandoor Recipes] ")
# ACCOUNT_EMAIL_SUBJECT_PREFIX= # ACCOUNT_EMAIL_SUBJECT_PREFIX=
# allow authentication via reverse proxy (e.g. authelia), leave off if you dont know what you are doing # allow authentication via the REMOTE-USER header (can be used for e.g. authelia).
# see docs for more information https://docs.tandoor.dev/features/authentication/ # ATTENTION: Leave off if you don't know what you are doing! Enabling this without proper configuration will enable anybody
# to login with any username!
# See docs for additional information: https://docs.tandoor.dev/features/authentication/#reverse-proxy-authentication
# when unset: 0 (false) # when unset: 0 (false)
REVERSE_PROXY_AUTH=0 REMOTE_USER_AUTH=0
# Default settings for spaces, apply per space and can be changed in the admin view # Default settings for spaces, apply per space and can be changed in the admin view
# SPACE_DEFAULT_MAX_RECIPES=0 # 0=unlimited recipes # SPACE_DEFAULT_MAX_RECIPES=0 # 0=unlimited recipes

18
docs/features/authentication.md
View File

@ -100,15 +100,17 @@ AUTH_LDAP_START_TLS=1
AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem
``` ```
## Reverse Proxy Authentication ## External Authentication
!!! warning "Security Impact"
If you just set `REMOTE_USER_AUTH=1` without any additional configuration, _anybody_ can authenticate with _any_ username!
!!! Info "Community Contributed Tutorial" !!! Info "Community Contributed Tutorial"
This tutorial was provided by a community member. Since I do not use reverse proxy authentication, I cannot provide any This tutorial was provided by a community member. We are not able to provide any support! Please only use, if you know what you are doing!
assistance should you choose to use this authentication method.
In order use proxy authentication you will need to: In order use external authentication (i.e. using a proxy auth like Authelia, Authentik, etc.) you will need to:
1. Set `REVERSE_PROXY_AUTH=1` in the `.env` file 1. Set `REMOTE_USER_AUTH=1` in the `.env` file
2. Update your nginx configuration file 2. Update your nginx configuration file
Using any of the examples above will automatically generate a configuration file inside a docker volume. Using any of the examples above will automatically generate a configuration file inside a docker volume.
@ -116,10 +118,10 @@ Use `docker volume inspect recipes_nginx` to find out where your volume is store
!!! warning "Configuration File Volume" !!! warning "Configuration File Volume"
The nginx config volume is generated when the container is first run. You can change the volume to a bind mount in the The nginx config volume is generated when the container is first run. You can change the volume to a bind mount in the
warning `docker-compose.yml`, but then you will need to manually create it. See section `Volumes vs Bind Mounts` below `docker-compose.yml`, but then you will need to manually create it. See section `Volumes vs Bind Mounts` below
for more information. for more information.
The following example shows a configuration for Authelia: ### Configuration Example for Authelia
``` ```
server { server {
@ -161,7 +163,7 @@ server {
} }
``` ```
Please refer to the appropriate documentation on how to setup the reverse proxy, authentication, and networks. Please refer to the appropriate documentation on how to set up the reverse proxy, authentication, and networks.
Ensure users have been configured for Authelia, and that the endpoint recipes is pointed to is protected but Ensure users have been configured for Authelia, and that the endpoint recipes is pointed to is protected but
available. available.

8
recipes/settings.py
View File

@ -46,7 +46,11 @@ INTERNAL_IPS = os.getenv('INTERNAL_IPS').split(
# allow djangos wsgi server to server mediafiles # allow djangos wsgi server to server mediafiles
GUNICORN_MEDIA = bool(int(os.getenv('GUNICORN_MEDIA', True))) GUNICORN_MEDIA = bool(int(os.getenv('GUNICORN_MEDIA', True)))
REVERSE_PROXY_AUTH = bool(int(os.getenv('REVERSE_PROXY_AUTH', False))) if os.getenv('REVERSE_PROXY_AUTH') is not None:
print('DEPRECATION WARNING: Environment var "REVERSE_PROXY_AUTH" is deprecated. Please use "REMOTE_USER_AUTH".')
REMOTE_USER_AUTH = bool(int(os.getenv('REVERSE_PROXY_AUTH', False)))
else:
REMOTE_USER_AUTH = bool(int(os.getenv('REMOTE_USER_AUTH', False)))
# default value for user preference 'comment' # default value for user preference 'comment'
COMMENT_PREF_DEFAULT = bool(int(os.getenv('COMMENT_PREF_DEFAULT', True))) COMMENT_PREF_DEFAULT = bool(int(os.getenv('COMMENT_PREF_DEFAULT', True)))
@ -273,7 +277,7 @@ SITE_ID = int(os.getenv('ALLAUTH_SITE_ID', 1))
ACCOUNT_ADAPTER = 'cookbook.helper.AllAuthCustomAdapter' ACCOUNT_ADAPTER = 'cookbook.helper.AllAuthCustomAdapter'
if REVERSE_PROXY_AUTH: if REMOTE_USER_AUTH:
MIDDLEWARE.insert(8, 'recipes.middleware.CustomRemoteUser') MIDDLEWARE.insert(8, 'recipes.middleware.CustomRemoteUser')
AUTHENTICATION_BACKENDS.append( AUTHENTICATION_BACKENDS.append(
'django.contrib.auth.backends.RemoteUserBackend') 'django.contrib.auth.backends.RemoteUserBackend')