Add simple HTTP authentication that can be used via configuration or ENV #171
Conversation
|
@krtschmr thanks for this! We need to have some default authentication built-in before we can propose this as default for Rails, but I'm not sure yet how it's going to look, so I'll keep this PR on hold until then. |
|
Hi @rosa i'm unsure what you mean with DefaultAuthentication. |
|
@krtschmr, I mean some authentication solution that comes enabled by default, so yes, this would work, but I'm not sure if we'll go with basic auth or with something else (such as a simple cookie-based authentication). It also needs to be closed by default in production and be easy to configure. I haven't decided yet what it'll look like. |
| ENV["MISSION_CONTROL_JOBS_HTTP_AUTH_USER"]=captain | ||
| ENV["MISSION_CONTROL_JOBS_HTTP_AUTH_password"]=topsecret | ||
| ``` | ||
| If no value is provided (`nil`, `""` or `false`), authentication is skipped. |
There was a problem hiding this comment.
Would you be up for changing this so that in production, if no configuration is set, it fails? The idea is that nobody could install Mission Control, forget to configure this, ship it to production and have this open to everyone by default.
There was a problem hiding this comment.
Hi @rosa , that is indeed a fantastic situation.
So by default, mission-control is default secured by HTTP_AUTH unless you disable it explicitly, or roll out your own ControllerInheritance (then you're on your own anyways)
| @@ -4,7 +4,15 @@ class MissionControl::Jobs::ApplicationController < MissionControl::Jobs.base_co | |||
| include MissionControl::Jobs::ApplicationScoped, MissionControl::Jobs::NotFoundRedirections | |||
| include MissionControl::Jobs::AdapterFeatures | |||
|
|
|||
| before_action :http_auth | |||
There was a problem hiding this comment.
I'd rename this to authenticate_by_basic_auth and then make it conditional on another property http_auth_enabled (similar to http_auth_user), which would default to true, just to disable it easily.
We needed a very simple easy way to add
http_auth. inheriting from own controller seems overkill.fixes #166