I have a satis repository which connects the dots for my private bitbucket repositories. I want to be able to charge for access to this satis repository by sending over the applications (my base application uses Laravel) secret key and validate it against the users account. Is there a way to send over the key for me to validate?
regards
Satis is simply a script that compiles some files that can be hosted anywhere where static file hosting is available.
If you want to add access control, it is not a question of using Satis correctly, but implementing access control for static HTTP resources.
By the way: The only authentication protocol Composer offers is HTTP Authentication (aka ".htpasswd"), so if you want a sophisticated payment and access control, you have to implement something that would send 401 HTTP status codes, wait for a username/password and check if that account paid.
Related
When I make a GCP cloud run instance anyone can to that link. I am using it for an API for my website. I do not want joe blow opening F12 and following the HTTP requests to my API. I use API keys and stuff however I want my link to be protected to only certain IP addresses or at least lock it behind a username and password. How can I do this with cloud run on GCP?
Cloud Run exposes a public URL by default. You can make it public (let allUsers invoke your endpoint) or restricted (only authorized user can invoke)
The problem with the second solution is that only the Google accounts (Workspace or Gmail) can be added and so restrict your user to use that type of credentials.
So, the solution is to make your API public. You can implement security mechanism in it to software control the authN and authZ of your user, but you aren't protected against DDOS attacks.
Therefore, Cloud Armor enters in the game. You have to create a Load Balancer and to put your Cloud Run service as backend of it. Then activate Cloud Armor. You will be able to check the IP source of the requester, but also to protect your service against attacks.
I have a server and I make a tunnel with cloudflare to be able to access from outside creating an application in Cloudflare Zero Strust and I am trying to disable all the policies so that it allows me to access the application without authentication.
But nothing works, whenever I try to enter my linkstream.domain.org application, it asks me for authentication via email.
The reason is that this application allows me to play streams so I don't want it to have authentication to access.
I've searched and configured everything, but I can't remove this authentication from cloudflare:
Cloudflare Access is a product that can be used to add authentication to an application. If you want your application to be public (i.e. no authentication), I'd recommend not adding it to Access at all. You can set up a Cloudflare Tunnel without adding any Access application, for example to expose a webserver to the public.
I'd recommend looking also at the Allow policies.
I am developing two linux programs, a CLI client and a server communicating via gRPC, and I now would like to authenticate users against a given private authorization server such as LDAP, Active Directory, etc.
I am confused regarding the various possible authentication flows. I think I can't use any classical flow including HTTP redirects since I shouldn't rely on a browser being installed or having internet access. I can't even define an endpoint I could redirect to (servers don't have internet access, and both are behind NATs).
So I was thinking of trying to store user's credentials as a JWT token file in the user's computer and then load it from my CLI client program to include it in my RPC requests and then validate it on the server-side. But, supposing I'm right, then what would be the best standard way of getting this token file?
If you had a browser you could use OAuth and the 'oob' (out of band) method where the CLI opens the browser and after the user authenticates it displays a number which the user copy/pastes into the CLI. This how my flickr backup CLI works. The number they copy/paste is because the CLI has no OAuth endpoint and the number is their access token to allow me to call the flickr api on their behalf.
If you can't use a browser the CLI can just accept a username/password from the user, send it to the server and receive a token in return. You don't really need anything fancy like JWT. A simple UUID would be enough. The UUID 'asserts' that the user is allowed to access the server's other RPC methods. The server would validate the UUID token to make sure it's still valid. If you need user information from the token, the server could do that. Keeps the user information off the client's disk and only the CLI can access that information, if the token is still valid.
So in effect, you need a new server RPC method, perhaps, authenticate, that accepts a username and password and returns a UUID token. All other RPC methods then need to accept that token and validate it before performing the requested function. As part of the server-side authentication process, the server could associate that token with the user information it got from the LDAP server so you don't need to store that information on the client. Lets you encrypt it on the server too and if the client needs it, it asks for it using the UUID token if it's still valid (time to live?). If it's no longer valid, the client just needs to ask for username/password again and the server can re-authenticate the user via LDAP and refresh the token and user information.
gRPC has authentication protocols but the SSL/TLS doesn't seem to match your needs and the OAuth won't work as you don't have a browser. So perhaps rolling your own simple token service (authenticate) combined with LDAP authentication might be a workable option.
I have an OpenAM Identity management and a website that needs its credentials for loggin in. I want to federate my website with Google. My web site doesn't support any Federation protocol. How can I do this? Is there any module or plugin for each protocol to deploy in my site? should I change my source code ?
You should potentially set up federation between Google and OpenAM, and then use a policy agent or OpenIG to protect your application.
Even though both the agents and OpenIG tries to make the integration as transparent as possible, it may be necessary to modify the application (for example to ensure that the app reads the user name out of an HTTP request header/cookie/etc, and possibly some other modifications to interact with the application's authorization framework).
I am Java developer and my customer wants to make web application using CKAN.
But he wants too many functions more over CKAN offers or not corresponds with CKAN's architecture.
So I decided to write Java program which has functions that customer wants and calls CKAN's RESTful API using Apache HttpComponent
But I encountered authorization issue.
Because my To-Be system will works without login to CKAN, I have to know users API-KEY when I call some apis need authorization.
But I can't get API-KEY unless login CKAN site(right?) and I think that getting someone's API-KEY by another way is nonsense.
If you don't think so, could you tell me how to get users API-KEY?
I also considered another way making all objects need authorization public.
But some apis send authorization error when I don't put API-KEY in Http header whether the object I intend to handle is public or private
Because of these reasons, development is been delaying.
Could you give me some advice?
The only way to get a user's API key is for the user herself to login to the CKAN web interface and go to their profile page.
If you're writing an API client, the way a client would normally work is to ask the user to enter their username and API key, either in a configuration file or into a GUI.