Protect a directory with regular Laravel Auth - authentication

I have a secondary application that drops new folders into my Laravel application on a daily basis. The contents of the folder need to be publicly accessible because they're flash files with a number of assets placed in each day's folder, alongside static .html pages, .jpgs, and .swfs. These links are part of the secondary application's vendor-coded framework.
Moving the files from a non-web accessible folder using php doesn't seem like a good option. I've tried using readfile() and considered .htaccess, but I don't want a secondary login for my users.
Only users who have logins with my Laravel application should have access to these files. Is there some way I can protect access to any request inside this folder with Laravel's Auth system, not basic auth? With the understanding that the page requests inside that folder vary?

From extensive searching, I've found that Laravel cannot handle the protection of public folders with static assets. This is a web server configuration issue.
One solution would be to set a cookie that gets read by the web server and bounces the user if the cookie value does not match a predetermined value. But Laravel encrypts cookies and disposes of cookies not encrypted on each load. So that solution would only work if you use App::filter to process the cookie using php setcookie().

Related

Best way to password-protect folders on IIS

What is the best way to password-protect a folder on IIS with a single set of credentials to be shared by a group of users?
Our hosting service offers Plesk, which in turn offers a "password-protected directory" function, but some of our clients have HTTP authorization disabled, so they get an automatic 401.4 error with no prompt for credentials.
I've looked into Forms authentication but this seems cumbersome to set up for the numerous separate domains at issue.
The protected content is not super sensitive, we just don't want it easily accessible to the public. Many of our users do not use the site frequently and we don't want to implement individual credentialing for everyone (we do have that in place for more sensitive sections) just so they can view current project reports or meeting minutes.
On sites I don't control, but am just a user, that do the same things as mine, it is a big pain to have to look up a username and password twice per year just to view a meeting agenda (yes, browser could remember but they also have a 4-month expiration and lots of us are on different devices all the time).
Is Forms authentication the way to go? Took a several hours for me to get it set up and working, with all sorts of settings not well documented in a single place.
(I had previously asked about how to disable Basic Auth on the client side, was told more than once it's not possible - but it is, via client/browser registry keys)
Thanks.
It's perfectly fine to use forms authentication. All you need to do is navigate to the folder or file you want to protect, then go to Authorization Rules. Add a deny rule for anonymous users, when users who are not logged in try to click on any file in that folder, they will be redirected to your login page. You can find a lot of guides on forms authentication in Google, you can refer to the following:
https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication
https://learn.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline

Add authentication for certain pages of Jekyll site

I have a certain page my Jekyll site that I only want to make available to people from my organization's domain (call it example.com).
Am I correct in my understanding that it's not possible to restrict access to certain pages because — as is the nature of a static site  — everything has already been served at once?
I'm aware of the jekyll-auth plugin to authenticate users against GitHub, but my situation would require that authentication through Google sign-in.
Jekyll is just a static site generator, so anything related to authentication will depend on what you have available on the webserver that is hosting the site.
Take a look at the Jekyll Google Auth plugin for example:
https://github.com/apcj/jekyll-google-auth
It's basically a trick... Anytime a request comes in for a page, they run it through Sinatra (using the _site folder as the static file folder, just as public would be normally), and authenticate it using apcj/sinatra-google-auth.
So in this case, you know that your webserver must have Sinatra for this authentication method to work.
One alternative would be to password protect your Jekyll site with HTTP basic auth. Aerobatic provides such a feature for static sites hosted with Bitbucket. And yes, you can protect only certain directories of the site.
https://www.aerobatic.com/blog/password-protect-a-jekyll-site
Disclaimer: I'm one of the founders of Aerobatic
You can use Netlify to add authentication to any static site not just jekyll. Deploy your site for free on netlify and use their identity widget..

Get Dropbox public folder's metadata without authentication

I'm about to create a blog and wanted to host the content on Dropbox (only Markdown files, everything else is on my server) because I want to be able to quickly upload and edit posts from all my devices without having to get some FTP app on them.
So far I managed to access files via https://dl.dropboxusercontent.com/u/********/<sub-folder>/<file name>.md and like pointed out here I can get the last-modified attribute via etags.
However, I'm stuck at getting a file list (or a folder's metadata in general). Is this possible without using OAuth?
No, this isn't possible without using the API. But why are you against using the API?
Feel free to use my tool https://dbxoauth2.site44.com/ to get an OAuth access token for your account. Then just do an HTTP GET to https://api.dropbox.com/1/metadata/auto/<path> with an Authorization header of Bearer <token>. Ditto for getting the actual file contents, just use /files/auto/<path> instead.
Oh, unless you're doing this client-side in JavaScript? In that case, this won't work since you can't give your access token out to the client (where it could be abused by anyone who visited your website).
make "Public" folder and go https://www.dropbox.com/enable_public_folder
back to your dropbox folder (web) right mouse at file in public folder and chose "Copy public link..."
Update: As of September 1, 2017 public links have been disabled for all users.
https://help.dropbox.com/files-folders/share/public-folder

Flask-security login and logout

How do you log a user in and out in Flask using the Flask-Security extension?
I just started using flask-security, and going through the documentation here http://pythonhosted.org/Flask-Security/api.html , I can't really figure out how to explicitly log a user in and out, as well as authenticate the user before logging them in.
Flask-Security uses Flask-Login. So you can do the following as per documentation:
login_user(user) # where user is your user object
logout_user()
Obviously, you still need to write your views where you will validate the form submissions etc before calling these methods and do the proper template rendering or redirects as needed.
Go to the flask security configurations page here: http://pythonhosted.org/Flask-Security/configuration.html
and copy over all the default configuration values into your init.py file like:
app.config['SECURITY_LOGIN_USER_TEMPLATE'] = 'security/login_user.html'
etc...
Then you have to download the security file which contains all the html templates. Put that folder in your templates folder where you keep all the other html templates. You can use google to figure out where to download the folder as well as how to set up the rest of flask security. I had a lot of trouble figuring out flask security as well, but after poking around here and on google, I was able to get some of it working, so don't lose faith. Hope this helps.

Form Authentication on Website

Here is how our Tomcat webserver is currently setup. We are using jsp for the webpages.
/webserverpath/main (all public pages and the login page)
/webserverpath/secure1 (private pages)
/webserverpath/secure2 (private pages)
/webserverpath/secure3 (private pages)
I recently discovered that the authentication is very minimal. For instance once a user is logged in they can bookmark any private page, close the browser, open the browser back up and go to the bookmark and is never asked to sign in again (which turns out to be bad since we recently started disabling users). All of this was setup before I arrived. I'm wondering what can I do to add the proper security? Should I have all the folders under one main folder (ie /webserverpath/main/secure1, etc.) or just leave it alone?
Let me add that I'm newish to the whole website authentication stuff, having multiple websites in different folders like this and JSP itself.
You might start here: Declarative Web Application Security with Servlets and JSP
Generally, you probably want some session-based authentication that kicks people out of the private parts of the site if they aren't authenticated.