-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add access check to middleware #52
base: main
Are you sure you want to change the base?
Conversation
|
6090887
to
46757fc
Compare
@JacobLinCool thoughts on this? having a tool like this open to the world by default gives me the heebie jeebies :) |
Hi @johtso, Sorry for the late reply; I haven't had time to check this until now. I agree with you that this kind of management tool should be protected by default. I have just a few questions to ask. At https://github.com/JacobLinCool/d1-manager/pull/52/files#diff-b5aa13ce0a61c3f166000471d0729aa6a8e57292fdbd8d88452443502e4b9a4aR26-R29, I see What will happen if the deployer forgets to set |
Yeah definitely needs some validation on the env vars. Currently would just throw an error resulting in a redirection to the login page. I like the idea of a helpful page if misconfigured. Perhaps there could be a DISABLE_ZERO_TRUST variable instead of IS_LOCAL that can be set in the dev env file and also used if someone really wants to expose their db to the world (not sure why you would though) If that's not set and domain and aud aren't set, we redirect to a page instructing to set them. Also worth checking what happens if they're set, but set to bad values.. |
WIP, Haven't quite got this working yet, not too familiar with SvelteKit.Edit: Should be working now!
Had to copy and paste code from the pages plugin because it's not exported.
Had to edit it to look for the JWT in the cookies header because sometimes that's the only place it's provided. Seems a little odd that I had to do that?
ACCESS_AUD and ACCESS_DOMAIN env vars need to be set.
#51