diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2014-01-15 05:49:31 (JST) |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2014-01-16 10:28:12 (JST) |
commit | d6e9200cc35411f3f27426b608bcfdef9348e6d3 (patch) | |
tree | 9cdd921b03465458d10b99ff4357f79a810501c0 /cgitrc.5.txt | |
parent | 3741254a6989b2837cd8d20480f152f0096bcb9a (diff) | |
download | cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.zip cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.tar.gz |
auth: add basic authentication filter framework
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.
Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.
Very plugable and extendable depending on user needs.
The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'cgitrc.5.txt')
-rw-r--r-- | cgitrc.5.txt | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/cgitrc.5.txt b/cgitrc.5.txt index 170e825..c45dbd3 100644 --- a/cgitrc.5.txt +++ b/cgitrc.5.txt | |||
@@ -42,6 +42,13 @@ agefile:: | |||
42 | hh:mm:ss". You may want to generate this file from a post-receive | 42 | hh:mm:ss". You may want to generate this file from a post-receive |
43 | hook. Default value: "info/web/last-modified". | 43 | hook. Default value: "info/web/last-modified". |
44 | 44 | ||
45 | auth-filter:: | ||
46 | Specifies a command that will be invoked for authenticating repository | ||
47 | access. Receives quite a few arguments, and data on both stdin and | ||
48 | stdout for authentication processing. Details follow later in this | ||
49 | document. If no auth-filter is specified, no authentication is | ||
50 | performed. Default value: none. See also: "FILTER API". | ||
51 | |||
45 | branch-sort:: | 52 | branch-sort:: |
46 | Flag which, when set to "age", enables date ordering in the branch ref | 53 | Flag which, when set to "age", enables date ordering in the branch ref |
47 | list, and when set to "name" enables ordering by branch name. Default | 54 | list, and when set to "name" enables ordering by branch name. Default |
@@ -605,6 +612,8 @@ specification with the relevant string; available values are: | |||
605 | URL escapes for a path and writes 'str' to the webpage. | 612 | URL escapes for a path and writes 'str' to the webpage. |
606 | 'html_url_arg(str)':: | 613 | 'html_url_arg(str)':: |
607 | URL escapes for an argument and writes 'str' to the webpage. | 614 | URL escapes for an argument and writes 'str' to the webpage. |
615 | 'html_include(file)':: | ||
616 | Includes 'file' in webpage. | ||
608 | 617 | ||
609 | 618 | ||
610 | Parameters are provided to filters as follows. | 619 | Parameters are provided to filters as follows. |
@@ -635,7 +644,32 @@ source filter:: | |||
635 | file that is to be filtered is available on standard input and the | 644 | file that is to be filtered is available on standard input and the |
636 | filtered contents is expected on standard output. | 645 | filtered contents is expected on standard output. |
637 | 646 | ||
638 | Also, all filters are handed the following environment variables: | 647 | auth filter:: |
648 | The authentication filter receives 11 parameters: | ||
649 | - filter action, explained below, which specifies which action the | ||
650 | filter is called for | ||
651 | - http cookie | ||
652 | - http method | ||
653 | - http referer | ||
654 | - http path | ||
655 | - http https flag | ||
656 | - cgit repo | ||
657 | - cgit page | ||
658 | - cgit url | ||
659 | When the filter action is "body", this filter must write to output the | ||
660 | HTML for displaying the login form, which POSTs to "/?p=login". When | ||
661 | the filter action is "authenticate-cookie", this filter must validate | ||
662 | the http cookie and return a 0 if it is invalid or 1 if it is invalid, | ||
663 | in the exit code / close function. If the filter action is | ||
664 | "authenticate-post", this filter receives POST'd parameters on | ||
665 | standard input, and should write to output one or more "Set-Cookie" | ||
666 | HTTP headers, each followed by a newline. | ||
667 | |||
668 | Please see `filters/simple-authentication.lua` for a clear example | ||
669 | script that may be modified. | ||
670 | |||
671 | |||
672 | All filters are handed the following environment variables: | ||
639 | 673 | ||
640 | - CGIT_REPO_URL (from repo.url) | 674 | - CGIT_REPO_URL (from repo.url) |
641 | - CGIT_REPO_NAME (from repo.name) | 675 | - CGIT_REPO_NAME (from repo.name) |