Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checkpath directive #43

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

checkpath directive #43

wants to merge 3 commits into from

Conversation

radek-senfeld
Copy link

Hi BTBurke,
we found ourselves in a quite similar situation as described in #41.

I've implemented a simple path checking mechanism. Hope you like it! ;-)

@BTBurke
Copy link
Owner

BTBurke commented Mar 13, 2019

Thanks for the contribution. I like the idea but I think I might implement this a little bit differently. This method is limited in that you can only have one path and it doesn't take into account what some people want to do, which is allow access to a whole set of resources under a particular path.

What I'm thinking about doing instead is to introduce some reserved keywords using the existing allow and deny directives. If done right, people should be able to mix and match allow and deny to reach any kind of dynamic path protection.

For example, adding two new reserved keywords match:exact and match:prefix:

allow path match:prefix

And with a JWT with a path:

{
    "path":  "/protected/resource"
}

A prefix match would allow someone to access /protected/resource/1. Setting it to match:exact would only allow you access to /protected/resource but not /protected/resource/1. Likewise, a deny rule could be used on a path to deny access to particular paths.

What do you think?

@radek-senfeld
Copy link
Author

radek-senfeld commented Mar 18, 2019
edited
Loading

I agree fully. That would be elegant indeed.

I was dreaming about something similar for a few moments but then the Real life knocked and I had to whip out something functional to replace Nginx's secure_link feature. My itch is pretty much scratched. 🤣

My proposal is to have such a functionality now and replace it later. It's an minor patch and it won't be a problem to rip it off when the time comes.

I also cannot promise to invest too much time into this. Go is fun but so is my life.. 😐

Implemented as discussed would make allowroot obsolete too, am I right?

@icb-
Copy link
Contributor

icb- commented Jun 6, 2019

I needed something like what @BTBurke suggested, so I went ahead and started working on it. I hope I'm not stepping on any toes. I think icb-/caddy-jwt@d0f8d4b is mostly complete, except for rounding out tests. I went with new config directives rather than reserved keywords in the existing allow and deny directives, but I'm happy to make whatever changes others think are appropriate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@radek-senfeld @BTBurke @icb-