Page 1 of 2
Login-feature for up.tilde.green
Posted: Wed Nov 06, 2024 12:00 pm
by alexlehm
The service up is currently disabled since it does not have any login function (which is intentional by the original author I think)
I guess it would be possible to add the SSO login and have a Oauth2 login for the web page but we would also need an API key to be able to use the tool in a script, e.g. with the pb script by tomasino
We could use long-lived Oauth tokens for that or we could make a page that sets an API key similar to what Opengist does, this is a random fixed string that you can remove or replace and there is only one key available at any given time for the user.
Or we could have a PAT similar to what Github does which is username/PAT as login and different apps can use different keys so that a limited rights rules are possible (we don't need that for the upload service since there is only one function)
Or we could replace the tool completely if there is a similar tool that has Oauth support directly. I used a site before that used their own login and had an API key that could be provided as a POST parameter or a header, but I don't think that software was open source.
For now I will look into how this is possible with PHP, the script is pretty simple, it is actually one file, the Oauth will require composer, but that is not really a problem
Re: Login-feature for up.tilde.green
Posted: Thu Nov 07, 2024 6:26 am
by annada
To be honest I don't understand a lot of the auth methods that you are talking about like, SSO, OAuth2 and PAT. What I want to suggest is if we can have a system similar to SSH. scp/ssh/curl (or a wrapper script) reads the key from ~/.ssh and sends the token to up.tilde.green along with the desired file and tilde.green servers can check the ssh key against the .pub file we uploaded during registration and send back a url.
I don't know how difficult it is technically, but I'm just throwing at the wall hoping something sticks.
Re: Login-feature for up.tilde.green
Posted: Thu Nov 07, 2024 10:37 am
by alexlehm
the page would redirect to a login page that already exists (the TGCI page) and store a auth token as cookie, this would work for web use of the page up.tilde.green
usage with curl would be different since you cannot do the login in a single request, so it would either use an API token that is sent as a header or a bearer token, which is sent with a header as well, that can be fetched with a login script or requested from a web page where you log in, that can also be used to delete the token and create a new one
A ssh-based file publishing service also exists, but we currently do not have one, also a netcat-based publishing service is possible in theory, one of the other pubnix services has that where you just use cat file|nc host 8888 to create a file url (that would again be an issue how to do the login)
I have written a shell script which does the Oauth flow using curl, but not yet doing the login, so you need to snoop 2 cookies from the browser, maybe this could be adapted to have a full login client (this is for pingvin share currently which we run on share.tilde.green)
https://tildegit.org/alexlehm/pingvin-upload-shell
Re: Login-feature for up.tilde.green
Posted: Sat Nov 09, 2024 9:54 am
by alexlehm
I have the sso login working on my instance of the filehost script, I will commit it to Git later
Re: Login-feature for up.tilde.green
Posted: Sat Nov 09, 2024 1:40 pm
by jmjl
alexlehm wrote: ↑Sat Nov 09, 2024 9:54 am
I have the sso login working on my instance of the filehost script, I will commit it to Git later
Great.
Thanks a lot for taking the time to implement OIDC support to the
Single .php File Host program, even tho it's no longer a Single .php
Re: Login-feature for up.tilde.green
Posted: Sat Nov 09, 2024 4:59 pm
by alexlehm
I have the integration of OIDC almost finished on my instance, it has some errors still here an exception happens, but over all it workes
https://pasting.lehmann.cx/
Re: Login-feature for up.tilde.green
Posted: Sat Nov 09, 2024 5:52 pm
by alexlehm
jmjl wrote: ↑Sat Nov 09, 2024 1:40 pm
Great.
Thanks a lot for taking the time to implement OIDC support to the
Single .php File Host program, even tho it's no longer a Single .php
yes, that made me chuckle as well, the OIDC is longer than the application script, it has composer, an autoload file and a single class
Re: Login-feature for up.tilde.green
Posted: Sat Nov 09, 2024 9:02 pm
by jmjl
alexlehm wrote: ↑Sat Nov 09, 2024 9:54 am
I have the sso login working on my instance of the filehost script, I will commit it to Git later
Could you post the Git url when you publish it?
Re: Login-feature for up.tilde.green
Posted: Sat Nov 09, 2024 10:33 pm
by alexlehm
Re: Login-feature for up.tilde.green
Posted: Sun Nov 10, 2024 4:52 pm
by jmjl
I assume it's licensed under the license that
https://github.com/Rouji/single_php_filehost is right?
I'll later take a look and rewrite some parts of it so that the homepage is accessible, whilst the upload button is hidden, and you can upload also when
$_SERVER['PHP_AUTH_USER']=='oauth' &&
$_SERVER['PHP_AUTH_PW'] is a
active introspection token or there's a active introspetion token in the
Authorization: Token <introspection-token> header[1].
[1] The checker would first try to see if there's a Authorization header and check that and if that fails, fail, but if there's no Authorization header, it would fall back to the HTTP Basic Auth check, and if that fails it'd fall back to the OIDC assuming
this conditional doesn't match:
Code: Select all
// From https://github.com/Rouji/single_php_filehost
// decide what to do, based on POST parameters etc.
if (isset($_FILES['file']['name']) &&
isset($_FILES['file']['tmp_name']) &&
is_uploaded_file($_FILES['file']['tmp_name']))