|author||Jason A. Donenfeld <Jason@zx2c4.com>||2014-01-14 21:49:31 +0100|
|committer||Jason A. Donenfeld <Jason@zx2c4.com>||2014-01-16 02:28:12 +0100|
|parent||t0111: Additions and fixes (diff)|
auth: add basic authentication filter framework
This leverages the new lua support. See filters/simple-authentication.lua for explaination of how this works. There is also additional documentation in cgitrc.5.txt. Though this is a cookie-based approach, cgit's caching mechanism is preserved for authenticated pages. Very plugable and extendable depending on user needs. The sample script uses an HMAC-SHA1 based cookie to store the currently logged in user, with an expiration date. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
1 files changed, 35 insertions, 1 deletions
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index 170e825..c45dbd3 100644
@@ -42,6 +42,13 @@ agefile::
hh:mm:ss". You may want to generate this file from a post-receive
hook. Default value: "info/web/last-modified".
+ Specifies a command that will be invoked for authenticating repository
+ access. Receives quite a few arguments, and data on both stdin and
+ stdout for authentication processing. Details follow later in this
+ document. If no auth-filter is specified, no authentication is
+ performed. Default value: none. See also: "FILTER API".
Flag which, when set to "age", enables date ordering in the branch ref
list, and when set to "name" enables ordering by branch name. Default
@@ -605,6 +612,8 @@ specification with the relevant string; available values are:
URL escapes for a path and writes 'str' to the webpage.
URL escapes for an argument and writes 'str' to the webpage.
+ Includes 'file' in webpage.
Parameters are provided to filters as follows.
@@ -635,7 +644,32 @@ source filter::
file that is to be filtered is available on standard input and the
filtered contents is expected on standard output.
-Also, all filters are handed the following environment variables:
+ The authentication filter receives 11 parameters:
+ - filter action, explained below, which specifies which action the
+ filter is called for
+ - http cookie
+ - http method
+ - http referer
+ - http path
+ - http https flag
+ - cgit repo
+ - cgit page
+ - cgit url
+ When the filter action is "body", this filter must write to output the
+ HTML for displaying the login form, which POSTs to "/?p=login". When
+ the filter action is "authenticate-cookie", this filter must validate
+ the http cookie and return a 0 if it is invalid or 1 if it is invalid,
+ in the exit code / close function. If the filter action is
+ "authenticate-post", this filter receives POST'd parameters on
+ standard input, and should write to output one or more "Set-Cookie"
+ HTTP headers, each followed by a newline.
+ Please see `filters/simple-authentication.lua` for a clear example
+ script that may be modified.
+All filters are handed the following environment variables:
- CGIT_REPO_URL (from repo.url)
- CGIT_REPO_NAME (from repo.name)