-
-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: check for basic auth (#110) #129
Conversation
Looks great! Thanks for contributing this! |
If you have a bit of bandwidth, a great followup to this would be a wiki page covering authentication if you want to add some details about how to use this with a common reverse proxy. I'll be happy to edit / expand on whatever initial content you seed. |
Here is the guide, @garethgeorge feel free to add this to wiki: Basic authentication for SSOHTTP basic authentication can be used together with forward-auth to enable single-sign-on. Forward-auth passes request headers to a 3rd party software, most commonly an SSO identity provider service, which can add additional headers to the proxied service (Backrest), in this case adding All of the major web servers and proxies support forward-auth (Apache, Nginx, Traefik, Caddy, etc.), please consult their documentation on how to set it up. Example with AuthentikSet username and password attributesWhen using Authentik proxy provider for forward-auth, enable Bind group or user to Backrest applicationIn the Authentik applications section, navigate to your Backrest application, and go to Choose the appropriate Group or User to bind to the application and click Set the username and password in group/user attributesAdd the previously chosen username and password attributes (with values from actual user in Backrest) in the group attributes section and click Now when connecting to Backrest, Authentik will add HTTP-Basic authentication header with username and password from the group/user attributes and user should be automatically logged in. |
Hi, I'm evaluating relicensing Backrest as AGPL-3.0 . Thanks for contributing this fix! I'm wondering if you'd be willing to retroactively sign a CLA? Or grant more specific permission to retain the copyright for your PRs but relicense your changes in the codebase under AGPL-3.0 . I've become aware of a few SAAS looking at selling Backrest which goes philosophically against what I created it for (well they're welcome to -- but their platforms should be OSS and self-hostable re: the same freedoms Backrest provides!). |
Sure thing, AGPL sounds great. |
Added a simple check for HTTP Basic authorization. Seems to work fine with Authentik SSO passing the auth header.
This does not add
WWW-Authenticate
header since it normally expects to receive Bearer auth for JWT.I am not familiar with go, so I presume that
bcrypt.CompareHashAndPassword
takes care of timing attacks and I don't have to addConstantTimeCompare
myself. Please correct me if I am wrong.Maybe adding rate limiting for brute force detection would be a good idea. Should it be added only for Basic auth, or is it relevant for Bearer token as well?