Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add access check to middleware #52

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

johtso
Copy link
Contributor

@johtso johtso commented Apr 7, 2024

WIP, Haven't quite got this working yet, not too familiar with SvelteKit.

Edit: Should be working now!

Had to copy and paste code from the pages plugin because it's not exported.

Had to edit it to look for the JWT in the cookies header because sometimes that's the only place it's provided. Seems a little odd that I had to do that?

ACCESS_AUD and ACCESS_DOMAIN env vars need to be set.

#51

Copy link

changeset-bot bot commented Apr 7, 2024

⚠️ No Changeset found

Latest commit: 46757fc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@johtso
Copy link
Contributor Author

johtso commented Jun 7, 2024

@JacobLinCool thoughts on this? having a tool like this open to the world by default gives me the heebie jeebies :)

@JacobLinCool
Copy link
Owner

Hi @johtso,

Sorry for the late reply; I haven't had time to check this until now.

I agree with you that this kind of management tool should be protected by default. I have just a few questions to ask. At https://github.com/JacobLinCool/d1-manager/pull/52/files#diff-b5aa13ce0a61c3f166000471d0729aa6a8e57292fdbd8d88452443502e4b9a4aR26-R29, I see domain and aud are string | undefined, but the generateValidator here https://github.com/JacobLinCool/d1-manager/pull/52/files#diff-ee7608ac5b52158ab7ceee2a958e7e5831beb5a57a51ea223d1248fc25ab5ac3R117 wants only string, right? I didn't see any check or cast between those two.

What will happen if the deployer forgets to set ACCESS_DOMAIN and ACCESS_AUD in the env vars? Can we redirect them to a non-protected page to show the error or instructions to set the env vars?

@johtso
Copy link
Contributor Author

johtso commented Jun 8, 2024

Yeah definitely needs some validation on the env vars. Currently would just throw an error resulting in a redirection to the login page.

I like the idea of a helpful page if misconfigured.

Perhaps there could be a DISABLE_ZERO_TRUST variable instead of IS_LOCAL that can be set in the dev env file and also used if someone really wants to expose their db to the world (not sure why you would though)

If that's not set and domain and aud aren't set, we redirect to a page instructing to set them.

Also worth checking what happens if they're set, but set to bad values..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants