Disallow anonymous crate browsing in the frontend #164
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
feat(frontend): added `login_required` configuration option
Hirevo
added
C-enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Many users expressed the interest in restricting the anonymous browsing of the registry's crates, in the effort of allowing a truly private (in the privacy sense) crate registry.
This PR adds a new boolean configuration option called
login_required, which, if enabled, prevents unauthenticated users from browsing the registry using the frontend's pages.This, however, still does not make the registry completely opaque to anonymous users by itself, due to some of Cargo's APIs not supporting authentication as of yet.
Cargo sends no token to these endpoints so we can't really require one, like:
/api/v1/crates?<q>), used bycargo search, which can be used to list all crates in the registry./api/v1/crates/:crate/:version/download), used bycargo fetch, which can be used to download any crate in the registry.(I talk about this situation in more depth in this issue comment, if you wonder why is it like that and what is currently planned to be done about it by the Cargo team)
So, as of today, the definitive way of preventing every kind of anonymous browsing would still be to host the registry in a private network, and require the use of VPN or a proxy (like an SSH tunnel) to access it.