The service up is currently disabled since it does not have any login function (which is intentional by the original author I think)
I guess it would be possible to add the SSO login and have a Oauth2 login for the web page but we would also need an API key to be able to use the tool in a script, e.g. with the pb script by tomasino
We could use long-lived Oauth tokens for that or we could make a page that sets an API key similar to what Opengist does, this is a random fixed string that you can remove or replace and there is only one key available at any given time for the user.
Or we could have a PAT similar to what Github does which is username/PAT as login and different apps can use different keys so that a limited rights rules are possible (we don't need that for the upload service since there is only one function)
Or we could replace the tool completely if there is a similar tool that has Oauth support directly. I used a site before that used their own login and had an API key that could be provided as a POST parameter or a header, but I don't think that software was open source.
For now I will look into how this is possible with PHP, the script is pretty simple, it is actually one file, the Oauth will require composer, but that is not really a problem
Login-feature for up.tilde.green
Re: Login-feature for up.tilde.green
To be honest I don't understand a lot of the auth methods that you are talking about like, SSO, OAuth2 and PAT. What I want to suggest is if we can have a system similar to SSH. scp/ssh/curl (or a wrapper script) reads the key from ~/.ssh and sends the token to up.tilde.green along with the desired file and tilde.green servers can check the ssh key against the .pub file we uploaded during registration and send back a url.
I don't know how difficult it is technically, but I'm just throwing at the wall hoping something sticks.
I don't know how difficult it is technically, but I'm just throwing at the wall hoping something sticks.
Re: Login-feature for up.tilde.green
the page would redirect to a login page that already exists (the TGCI page) and store a auth token as cookie, this would work for web use of the page up.tilde.green
usage with curl would be different since you cannot do the login in a single request, so it would either use an API token that is sent as a header or a bearer token, which is sent with a header as well, that can be fetched with a login script or requested from a web page where you log in, that can also be used to delete the token and create a new one
A ssh-based file publishing service also exists, but we currently do not have one, also a netcat-based publishing service is possible in theory, one of the other pubnix services has that where you just use cat file|nc host 8888 to create a file url (that would again be an issue how to do the login)
I have written a shell script which does the Oauth flow using curl, but not yet doing the login, so you need to snoop 2 cookies from the browser, maybe this could be adapted to have a full login client (this is for pingvin share currently which we run on share.tilde.green) https://tildegit.org/alexlehm/pingvin-upload-shell
usage with curl would be different since you cannot do the login in a single request, so it would either use an API token that is sent as a header or a bearer token, which is sent with a header as well, that can be fetched with a login script or requested from a web page where you log in, that can also be used to delete the token and create a new one
A ssh-based file publishing service also exists, but we currently do not have one, also a netcat-based publishing service is possible in theory, one of the other pubnix services has that where you just use cat file|nc host 8888 to create a file url (that would again be an issue how to do the login)
I have written a shell script which does the Oauth flow using curl, but not yet doing the login, so you need to snoop 2 cookies from the browser, maybe this could be adapted to have a full login client (this is for pingvin share currently which we run on share.tilde.green) https://tildegit.org/alexlehm/pingvin-upload-shell
Re: Login-feature for up.tilde.green
I have the sso login working on my instance of the filehost script, I will commit it to Git later
Re: Login-feature for up.tilde.green
Great.
Thanks a lot for taking the time to implement OIDC support to the Single .php File Host program, even tho it's no longer a Single .php
Re: Login-feature for up.tilde.green
I have the integration of OIDC almost finished on my instance, it has some errors still here an exception happens, but over all it workes
https://pasting.lehmann.cx/
https://pasting.lehmann.cx/
Re: Login-feature for up.tilde.green
yes, that made me chuckle as well, the OIDC is longer than the application script, it has composer, an autoload file and a single classjmjl wrote: ↑Sat Nov 09, 2024 1:40 pm
Great.
Thanks a lot for taking the time to implement OIDC support to the Single .php File Host program, even tho it's no longer a Single .php
Re: Login-feature for up.tilde.green
I assume it's licensed under the license that https://github.com/Rouji/single_php_filehost is right?
I'll later take a look and rewrite some parts of it so that the homepage is accessible, whilst the upload button is hidden, and you can upload also when $_SERVER['PHP_AUTH_USER']=='oauth' && $_SERVER['PHP_AUTH_PW'] is a active introspection token or there's a active introspetion token in the Authorization: Token <introspection-token> header[1].
[1] The checker would first try to see if there's a Authorization header and check that and if that fails, fail, but if there's no Authorization header, it would fall back to the HTTP Basic Auth check, and if that fails it'd fall back to the OIDC assuming this conditional doesn't match:
Code: Select all
// From https://github.com/Rouji/single_php_filehost
// decide what to do, based on POST parameters etc.
if (isset($_FILES['file']['name']) &&
isset($_FILES['file']['tmp_name']) &&
is_uploaded_file($_FILES['file']['tmp_name']))