HTTP Auth #163

jimafisk commented 2023年01月23日 20:15:40 +01:00

Is there any way to put some sort of authentication in front of a website? This would be helpful in cases where you have a dev site that shouldn't be public.

Even if you could just specify a username/password for HTTP Auth on a custom domain in something like a .auth file, it would be awesome :).

Would something like that be appropriate for the roadmap? Thanks!

Is there any way to put some sort of authentication in front of a website? This would be helpful in cases where you have a dev site that shouldn't be public. Even if you could just specify a username/password for HTTP Auth on a custom domain in something like a `.auth` file, it would be awesome :). Would something like that be appropriate for the roadmap? Thanks!

fnetX commented 2023年01月23日 21:12:56 +01:00

I think this should be a wontfix. If you need to serve content for development purpose only, a public webhosting is not the space. Use localhost, or maybe a folder name which is really hard to guess.

For a public hosting, I consider this a feature that adds unnecessary complexity.

I think this should be a wontfix. If you need to serve content for development purpose only, a public webhosting is not the space. Use localhost, or maybe a folder name which is really hard to guess. For a public hosting, I consider this a feature that adds unnecessary complexity.

jimafisk commented 2023年01月23日 21:44:49 +01:00

Totally understand if this is something you don't want included in the project. FWIW there are a few other public hosts that offer access control (figured this would be harder than HTTP Auth):

• GitLab Pages: https://docs.gitlab.com/ee/user/project/pages/pages_access_control.html
• GitHub Pages: https://docs.github.com/en/enterprise-cloud@latest/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site

Totally understand if this is something you don't want included in the project. FWIW there are a few other public hosts that offer access control (figured this would be harder than HTTP Auth): - GitLab Pages: https://docs.gitlab.com/ee/user/project/pages/pages_access_control.html - GitHub Pages: https://docs.github.com/en/enterprise-cloud@latest/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site

fnetX commented 2023年01月23日 21:53:25 +01:00

Please note that the GitHub feature seems to be limited to an "Enterprise Cloud" subscription, and GitLab is basically the best example for feature creep, and I disagree to their philosophy to put so many features in an app that it can barely be hosted by anyone without spinning up a whole datacenter (exaggeration, obviously, but you get the point).

Please note that the GitHub feature seems to be limited to an "Enterprise Cloud" subscription, and GitLab is basically the best example for feature creep, and I disagree to their philosophy to put so many features in an app that it can barely be hosted by anyone without spinning up a whole datacenter (exaggeration, obviously, but you get the point).

jimafisk commented 2023年01月23日 21:59:02 +01:00

I disagree to their philosophy to put so many features in an app that it can barely be hosted by anyone without spinning up a whole datacenter

😂 I agree with you that simplicity of setup and maintainability should have priority over features. Thank you for taking the time to provide feedback, I'll close this out.

> I disagree to their philosophy to put so many features in an app that it can barely be hosted by anyone without spinning up a whole datacenter 😂 I agree with you that simplicity of setup and maintainability should have priority over features. Thank you for taking the time to provide feedback, I'll close this out.

levino commented 2023年12月19日 21:36:28 +01:00

I think this would be a quite nice addition. Saying that "gitlab and github have too many features anyhow" is kinda weird. They are the benchmark for a lot of the things that codeberg / forgejo aim to provide, are they not? Especially in order to get expensive github premium features for cheap might be a reason for a lot of people to use forgejo in the first place. Like it or not. Hopefully some of these people eventually also contribute, but you never know and that is the thrill of open source, is it not? So I would say this feature request is very valid and it would be nice to have it implemented.

FWIW: I have been jumping hoops today to find a solution to get a website with some documentation containing mildly sensitive data behind a user login without paying for it (it is about some stuff for the Kindergarten of my child). I ended up with gitlab pages, but as far as I can tell that will only scale to 5 users before I have to pay.

I think this would be a quite nice addition. Saying that "gitlab and github have too many features anyhow" is kinda weird. They are the benchmark for a lot of the things that codeberg / forgejo aim to provide, are they not? Especially in order to get expensive github premium features for cheap might be a reason for a lot of people to use forgejo in the first place. Like it or not. Hopefully some of these people eventually also contribute, but you never know and that is the thrill of open source, is it not? So I would say this feature request is very valid and it would be nice to have it implemented. FWIW: I have been jumping hoops today to find a solution to get a website with some documentation containing mildly sensitive data behind a user login without paying for it (it is about some stuff for the Kindergarten of my child). I ended up with gitlab pages, but as far as I can tell that will only scale to 5 users before I have to pay.

jimafisk commented 2023年12月19日 21:57:11 +01:00

Hi @levino,

I had this feature working previously for my own instance, here's the code in case you're interested: #166

My understanding is the project maintainers do not want to include the feature, but you should be able to pull it in if you want to run your own build. Hope that helps!

Hi @levino, I had this feature working previously for my own instance, here's the code in case you're interested: https://codeberg.org/Codeberg/pages-server/pulls/166 My understanding is the project maintainers do not want to include the feature, but you should be able to pull it in if you want to run your own build. Hope that helps!

fnetX commented 2023年12月19日 22:03:24 +01:00

It is simply not what Codeberg Pages is about. Our service is about "hosting Free/Libre software for the public". We only allow private repos for convenience, it's not that we want to offer free cloud hosting for everyone and everything.

Adding a restriction on a website only makes sense when the actual content is not already visible to the world. So it would encourage more private repositories, which is defeating the legal purpose of our non-profit association.

It is simply not what Codeberg Pages is about. Our service is about "hosting Free/Libre software for the public". We only allow private repos for convenience, it's not that we want to offer free cloud hosting for everyone and everything. Adding a restriction on a website only makes sense when the actual content is not already visible to the world. So it would encourage more private repositories, which is defeating the legal purpose of our non-profit association.

crapStone commented 2023年12月20日 13:41:03 +01:00

We could still add it to the pages-server and disable it for Codeberg Pages

We could still add it to the pages-server and disable it for Codeberg Pages

levino commented 2024年01月15日 09:02:15 +01:00

Thank you @jimafisk. However I would expect that user authentication is based on the users from my codeberg instance. So all users who have read access to the repository with the websites source also have access to the website. That is how gitlab does it. Maintaining some kind of list with username and password does not scale (the least of the problem will be the people forgetting their passwords...).

Thank you @jimafisk. However I would expect that user authentication is based on the users from my codeberg instance. So all users who have read access to the repository with the websites source also have access to the website. That is how gitlab does it. Maintaining some kind of list with username and password does not scale (the least of the problem will be the people forgetting their passwords...).

crapStone commented 2024年01月15日 19:23:05 +01:00

@levino How about adding OAuth and using the accounts with access to the repo that hosts the files?

@levino How about adding OAuth and using the accounts with access to the repo that hosts the files?

levino commented 2024年01月16日 10:08:50 +01:00

That would be nice. I asked about this for authjs for github organizations. The idea should be the same for forgejo. However I doubt that jwts issued via the OAuth process will include the information that a user has access to a specific repository and if, which access they have. Maybe there is some kind of endpoint in the forgejo instance that I could query for a given jwt but that is definitely not possible with github so I would be surprised if it is implemented in forgejo. Could also potentially be abused, idk.

That would be nice. I [asked](https://github.com/nextauthjs/next-auth/discussions/9270) about this for `authjs` for github organizations. The idea should be the same for forgejo. However I doubt that jwts issued via the OAuth process will include the information that a user has access to a specific repository and if, which access they have. Maybe there is some kind of endpoint in the forgejo instance that I could query for a given jwt but that is definitely not possible with github so I would be surprised if it is implemented in forgejo. Could also potentially be abused, idk.

mtribiere commented 2024年07月17日 12:08:43 +02:00

Any new on this feature? I also have a use case for having finer access control.
Probably something that mirrors Gitea's read rights on a repo.

Any new on this feature? I also have a use case for having finer access control. Probably something that mirrors Gitea's read rights on a repo.

levino commented 2025年10月24日 15:51:28 +02:00

I built my own solution from some parts that I found on the internet (mainly docker, coolify and pocketbase). Feel free to adapt https://github.com/levino/protected-docs-example or https://github.com/levino/protected-docs-template to your needs. If you have any questions, let me know in the repos.

FWIW: I really like the fact that I can provide access to people who do not have GitHub/Gitea/Codeberg/Forgejo-Accounts. Surprisingly many people are mentally incapable of creating an account with GitHub.

I built my own solution from some parts that I found on the internet (mainly docker, coolify and pocketbase). Feel free to adapt https://github.com/levino/protected-docs-example or https://github.com/levino/protected-docs-template to your needs. If you have any questions, let me know in the repos. FWIW: I really like the fact that I can provide access to people who do not have GitHub/Gitea/Codeberg/Forgejo-Accounts. Surprisingly many people are mentally incapable of creating an account with GitHub.