auth: add basic authentication filter framework

This leverages the new lua support. See filters/simple-authentication.lua for explaination of how this works. There is also additional documentation in cgitrc.5.txt. Though this is a cookie-based approach, cgit's caching mechanism is preserved for authenticated pages. Very plugable and extendable depending on user needs. The sample script uses an HMAC-SHA1 based cookie to store the currently logged in user, with an expiration date. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld 2014-01-14 21:49:31 +0100
committer: Jason A. Donenfeld 2014-01-16 02:28:12 +0100
commit: d6e9200cc35411f3f27426b608bcfdef9348e6d3 (patch)
tree: 9cdd921b03465458d10b99ff4357f79a810501c0 /cgitrc.5.txt
parent: t0111: Additions and fixes (diff)
download: cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.tar.gz
cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.zip
1 files changed, 35 insertions, 1 deletions
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index 170e825..c45dbd3 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt

@@ -42,6 +42,13 @@ agefile::
        hh:mm:ss". You may want to generate this file from a post-receive
        hook. Default value: "info/web/last-modified".
+auth-filter::
+        Specifies a command that will be invoked for authenticating repository
+        access. Receives quite a few arguments, and data on both stdin and
+        stdout for authentication processing. Details follow later in this
+        document. If no auth-filter is specified, no authentication is
+        performed. Default value: none. See also: "FILTER API".
 branch-sort::
        Flag which, when set to "age", enables date ordering in the branch ref
        list, and when set to "name" enables ordering by branch name. Default
@@ -605,6 +612,8 @@ specification with the relevant string; available values are:
                URL escapes for a path and writes 'str' to the webpage.
        'html_url_arg(str)'::
                URL escapes for an argument and writes 'str' to the webpage.
+        'html_include(file)'::
+                Includes 'file' in webpage.
 Parameters are provided to filters as follows.
@@ -635,7 +644,32 @@ source filter::
        file that is to be filtered is available on standard input and the
        filtered contents is expected on standard output.
-Also, all filters are handed the following environment variables:
+auth filter::
+        The authentication filter receives 11 parameters:
+          - filter action, explained below, which specifies which action the
+            filter is called for
+          - http cookie
+          - http method
+          - http referer
+          - http path
+          - http https flag
+          - cgit repo
+          - cgit page
+          - cgit url
+        When the filter action is "body", this filter must write to output the
+        HTML for displaying the login form, which POSTs to "/?p=login". When
+        the filter action is "authenticate-cookie", this filter must validate
+        the http cookie and return a 0 if it is invalid or 1 if it is invalid,
+        in the exit code / close function. If the filter action is
+        "authenticate-post", this filter receives POST'd parameters on
+        standard input, and should write to output one or more "Set-Cookie"
+        HTTP headers, each followed by a newline.
+        Please see `filters/simple-authentication.lua` for a clear example
+        script that may be modified.
+All filters are handed the following environment variables:
 - CGIT_REPO_URL (from repo.url)
 - CGIT_REPO_NAME (from repo.name)
author	Jason A. Donenfeld	2014-01-14 21:49:31 +0100
committer	Jason A. Donenfeld	2014-01-16 02:28:12 +0100
commit	d6e9200cc35411f3f27426b608bcfdef9348e6d3 (patch)
tree	9cdd921b03465458d10b99ff4357f79a810501c0 /cgitrc.5.txt
parent	t0111: Additions and fixes (diff)
download	cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.tar.gz cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.zip

diff --git a/cgitrc.5.txt b/cgitrc.5.txt index 170e825..c45dbd3 100644 --- a/cgitrc.5.txt +++ b/cgitrc.5.txt
@@ -42,6 +42,13 @@ agefile::
42	hh:mm:ss". You may want to generate this file from a post-receive	42	hh:mm:ss". You may want to generate this file from a post-receive
43	hook. Default value: "info/web/last-modified".	43	hook. Default value: "info/web/last-modified".
44		44
		45	auth-filter::
		46	Specifies a command that will be invoked for authenticating repository
		47	access. Receives quite a few arguments, and data on both stdin and
		48	stdout for authentication processing. Details follow later in this
		49	document. If no auth-filter is specified, no authentication is
		50	performed. Default value: none. See also: "FILTER API".
		51
45	branch-sort::	52	branch-sort::
46	Flag which, when set to "age", enables date ordering in the branch ref	53	Flag which, when set to "age", enables date ordering in the branch ref
47	list, and when set to "name" enables ordering by branch name. Default	54	list, and when set to "name" enables ordering by branch name. Default
@@ -605,6 +612,8 @@ specification with the relevant string; available values are:
605	URL escapes for a path and writes 'str' to the webpage.	612	URL escapes for a path and writes 'str' to the webpage.
606	'html_url_arg(str)'::	613	'html_url_arg(str)'::
607	URL escapes for an argument and writes 'str' to the webpage.	614	URL escapes for an argument and writes 'str' to the webpage.
		615	'html_include(file)'::
		616	Includes 'file' in webpage.
608		617
609		618
610	Parameters are provided to filters as follows.	619	Parameters are provided to filters as follows.
@@ -635,7 +644,32 @@ source filter::
635	file that is to be filtered is available on standard input and the	644	file that is to be filtered is available on standard input and the
636	filtered contents is expected on standard output.	645	filtered contents is expected on standard output.
637		646
638	Also, all filters are handed the following environment variables:	647	auth filter::
		648	The authentication filter receives 11 parameters:
		649	- filter action, explained below, which specifies which action the
		650	filter is called for
		651	- http cookie
		652	- http method
		653	- http referer
		654	- http path
		655	- http https flag
		656	- cgit repo
		657	- cgit page
		658	- cgit url
		659	When the filter action is "body", this filter must write to output the
		660	HTML for displaying the login form, which POSTs to "/?p=login". When
		661	the filter action is "authenticate-cookie", this filter must validate
		662	the http cookie and return a 0 if it is invalid or 1 if it is invalid,
		663	in the exit code / close function. If the filter action is
		664	"authenticate-post", this filter receives POST'd parameters on
		665	standard input, and should write to output one or more "Set-Cookie"
		666	HTTP headers, each followed by a newline.
		667
		668	Please see `filters/simple-authentication.lua` for a clear example
		669	script that may be modified.
		670
		671
		672	All filters are handed the following environment variables:
639		673
640	- CGIT_REPO_URL (from repo.url)	674	- CGIT_REPO_URL (from repo.url)
641	- CGIT_REPO_NAME (from repo.name)	675	- CGIT_REPO_NAME (from repo.name)