~Green Forum

The service up is currently disabled since it does not have any login function (which is intentional by the original author I think)

I guess it would be possible to add the SSO login and have a Oauth2 login for the web page but we would also need an API key to be able to use the tool in a script, e.g. with the pb script by tomasino

We could use long-lived Oauth tokens for that or we could make a page that sets an API key similar to what Opengist does, this is a random fixed string that you can remove or replace and there is only one key available at any given time for the user.

Or we could have a PAT similar to what Github does which is username/PAT as login and different apps can use different keys so that a limited rights rules are possible (we don't need that for the upload service since there is only one function)

Or we could replace the tool completely if there is a similar tool that has Oauth support directly. I used a site before that used their own login and had an API key that could be provided as a POST parameter or a header, but I don't think that software was open source.

For now I will look into how this is possible with PHP, the script is pretty simple, it is actually one file, the Oauth will require composer, but that is not really a problem

To be honest I don't understand a lot of the auth methods that you are talking about like, SSO, OAuth2 and PAT. What I want to suggest is if we can have a system similar to SSH. scp/ssh/curl (or a wrapper script) reads the key from ~/.ssh and sends the token to up.tilde.green along with the desired file and tilde.green servers can check the ssh key against the .pub file we uploaded during registration and send back a url.

I don't know how difficult it is technically, but I'm just throwing at the wall hoping something sticks.

the page would redirect to a login page that already exists (the TGCI page) and store a auth token as cookie, this would work for web use of the page up.tilde.green

usage with curl would be different since you cannot do the login in a single request, so it would either use an API token that is sent as a header or a bearer token, which is sent with a header as well, that can be fetched with a login script or requested from a web page where you log in, that can also be used to delete the token and create a new one

A ssh-based file publishing service also exists, but we currently do not have one, also a netcat-based publishing service is possible in theory, one of the other pubnix services has that where you just use cat file|nc host 8888 to create a file url (that would again be an issue how to do the login)

I have written a shell script which does the Oauth flow using curl, but not yet doing the login, so you need to snoop 2 cookies from the browser, maybe this could be adapted to have a full login client (this is for pingvin share currently which we run on share.tilde.green) https://tildegit.org/alexlehm/pingvin-upload-shell

I have the sso login working on my instance of the filehost script, I will commit it to Git later

alexlehm wrote: ↑Sat Nov 09, 2024 9:54 am I have the sso login working on my instance of the filehost script, I will commit it to Git later

Great.
Thanks a lot for taking the time to implement OIDC support to the Single .php File Host program, even tho it's no longer a Single .php

I have the integration of OIDC almost finished on my instance, it has some errors still here an exception happens, but over all it workes

https://pasting.lehmann.cx/

jmjl wrote: ↑Sat Nov 09, 2024 1:40 pm
Great.
Thanks a lot for taking the time to implement OIDC support to the Single .php File Host program, even tho it's no longer a Single .php

yes, that made me chuckle as well, the OIDC is longer than the application script, it has composer, an autoload file and a single class

alexlehm wrote: ↑Sat Nov 09, 2024 9:54 am I have the sso login working on my instance of the filehost script, I will commit it to Git later

Could you post the Git url when you publish it?

alexlehm wrote: ↑Sat Nov 09, 2024 10:33 pm https://gist.tilde.green/alexlehm/ff953 ... 44563a6eb3

I assume it's licensed under the license that https://github.com/Rouji/single_php_filehost is right?

I'll later take a look and rewrite some parts of it so that the homepage is accessible, whilst the upload button is hidden, and you can upload also when $_SERVER['PHP_AUTH_USER']=='oauth' && $_SERVER['PHP_AUTH_PW'] is a active introspection token or there's a active introspetion token in the Authorization: Token <introspection-token> header[1].

[1] The checker would first try to see if there's a Authorization header and check that and if that fails, fail, but if there's no Authorization header, it would fall back to the HTTP Basic Auth check, and if that fails it'd fall back to the OIDC assuming this conditional doesn't match: