protecting routes /Post

Question

protecting routes /Post

gurugeek opened this issue 5 years ago · 4 comments

This is again not an issue just a request for clarification and/or a feature request :)
I am using ExpressSwift for a traditional CMS so we have an admin area where the admin can add/delete/edit pages.

So I faced two issues: one is proecting the routes and the second is limiting post requests to a certain user (or IP).

My workaround is not very elegant: I couldn't find a way to get basic auth to work with swift (e.g. https://github.com/jjb3rd/HttpBasicAuth this does not work).

So what I did is protecting the admin pages with pagecrypt. This doesn't solve the problem that if someone knows the "POST" route it can simply bypass all the protections. So as another not so elegant workaround I am restricting any post (on NGINX) to the admin IP.

In short: is there a way to protect routes e.g. with httpbasic auth or something similar?
Thanks!

Answer 1 · 2020-03-12T13:07:23.000Z

There are two things here in play:

Parsing Basic Auth header
https://github.com/jjb3rd/HttpBasicAuth should work if you convert from request.head.headers of type HTTPHeaders to [String: String] dictionary which is required by this library. Or write your own.
Protect connection with HTTPS
This is not possible to do at the moment. I will try to add https support this week hopefully.

Answer 2 · 2020-03-12T13:18:36.000Z

Thanks for your reply @diejmon !
Well https://github.com/jjb3rd/HttpBasicAuth doesn't work as a package for swift 5 so not sure what to change to make it work. If you have an example this would go a long mile (and if you need some sponsorship for the time invested to fix this I would be happy to contribute with a donation e.g. via paypal)

I am not sure how HTTPS would solve the problem. I have the script live using HTTPS (Nginx revers proxy). I solved the static asset issue with Nginx and also the form Post but having to determine which IP can post is a mess ;)

Answer 3 · 2020-03-12T13:32:38.000Z

https://github.com/jjb3rd/HttpBasicAuth is outdated, but you can easily make a fork and upgrade it to swift 5.1.
I didn't know that you protect your connection with HTTPS so HTTPS support isn't required for you right now.
You want to filter IP, it is not possible right now, but the callee IP address is exposed by NIO, so I can expose this information to ExpressSwift as well. But I'm not sure it is a good way to protect your endpoint. I would combine: IP filtering, https and basic auth.
When IP will be exposed in Request you can easily filter IP with... I will show once IP is added.

Answer 4 · 2020-03-12T13:37:29.000Z

Sorry @diejmon some confusion from my part :)

- If httpBasicAuth is working then there is no need for IP limiting for post requests as this would be automatically rejected if there is no u/pw header.
- My current workaround (without auth http) is through NGINX. Post requests are allowed only from my IP. This didn't solve the issue with protecting the admin page which I solved through a JS library.

Will see if i can fix and upgrade the http basic auth library. Of course any update you can do to the code is much welcome (I don't think that post endpoints are useful without authentication. Even if used for an API then everyone can post..).