Public private view #1328
Public private view #1328
Conversation
…sclosure Critical security fixes: - Memory store: GetEndpointStatusByKey was ignoring onlyPublic parameter, allowing unauthorized access to private endpoints - SQL store: GetEndpointStatus returned different errors for private vs non-existent endpoints, enabling enumeration attacks Both now return consistent ErrEndpointNotFound for unauthorized access.
Apply the same authentication and visibility pattern to suites: - Add Public field to Suite, SuiteStatus, and Result structs - Add SuiteStatusVisibility DTO for visibility management - Update store interface signatures with onlyPublic parameter - Update database schemas with suite_public columns This provides the foundation for suite visibility control, matching the pattern used for endpoints.
Update SuiteStatuses and SuiteStatus handlers to: - Check user authentication status - Pass onlyPublic flag to storage layer - Filter config-based fallback by visibility - Return consistent 404 for unauthorized access Completes the suite visibility feature at the API layer.
Update initializeStorage to track and update suite visibility on application startup, matching the pattern used for endpoints. This ensures suite visibility is synced with configuration on every application start and hot reload.
Implement endpoint-level authentication mode where authentication is optional but filters visible data based on public/private status: **API Changes:** - Add global vs endpoint-level auth routing in api.go - Update EndpointStatuses and EndpointStatus handlers with auth checks - Add cache key separation for public/private data - Update badge endpoints to respect visibility **Configuration:** - Add Public field to Endpoint, ExternalEndpoint, Result, and Status - Add EndpointStatusVisibility DTO for visibility management - Extend security config with Level field (global/endpoint) - Implement IsAuthenticated() for Basic Auth - Add IsGlobal() helper method **Features:** - Routes conditionally protected based on security.level - Unauthenticated users see only public endpoints - Authenticated users see all endpoints - Cache keys include auth status to prevent data leakage
Implement frontend authentication UI and logic: **New Files:** - auth.js: Authentication utilities for storing/retrieving credentials and making authenticated fetch requests **App.vue Updates:** - Add Basic Auth modal with username/password inputs - Implement sign in/sign out functionality - Add user menu for authenticated users - Support both mobile and desktop layouts - Handle endpoint-level vs global authentication modes - Update config fetch to use authenticated requests **View Updates:** - Home.vue: Use authenticatedFetch for endpoint/suite data - SuiteDetails.vue: Use authenticatedFetch for suite status **Features:** - Basic Auth credentials stored in localStorage (Base64 encoded) - Seamless authentication flow without page reloads - Shows public endpoints when unauthenticated - Shows all endpoints when authenticated - User-friendly error messages **Dependencies:** - Removed unused UI dependencies (headlessui, heroicons, radix-vue, vueuse)
**Configuration:** - Update config.yaml with endpoint-level auth example - Add basic auth credentials and public endpoint markers - Configure SQLite storage for testing **Tests:** - Add test for default auth level (global) - Add test for invalid auth level validation - Fix config test formatting This demonstrates the endpoint-level authentication feature where authentication is optional but filters visible data.
|
I appreciate your enthusiasm, but you should've really created an issue first so we could discuss the feature before you jump straight to the implementation and risk wasting your time 😅 I also want to add support for public and private endpoints in the future, but I don't have the time to spend on this right now and it's not currently at the top of my list of priorities. To keep it short, I'd like to have RBAC support for OIDC, with support for a public role. I don't want to just add a |
|
@TwiN I thought I had open my pr against my own fork, oops. Alright that make sense, I went this way after reading #638 where a config by endpoint was what you added. I'll go back to the issue and explain my This feature is what's missing for my org to onboard this tool |
|
@loispostula My bad, I see there is already #1328 opened by somebody else, and I did already sort of give my thumbs up for it; I had completely forgotten about it 🤦 Feel free to keep working on it, and since I already gave the green lights, I'll make some time to look at it. Keep going with your approach of using the |
|
Let's go with your approach for now. The only change I'd make at a glance is perhaps put endpoints:
- name: ...
visibility:
public: trueThis would allow us to add support for RBAC later without making breaking changes, as we could put it all under the |
2 participants
No description provided.