Adding authentication steps diagram

Siecje · Mar 8, 2017 · 520427f · 520427f
1 parent 78c952b
commit 520427f
Show file tree

Hide file tree

Showing 9 changed files with 913 additions and 137 deletions.
diff --git a/README.md b/README.md
@@ -17,12 +17,14 @@ If auth token is valid route to the internal service (ex. port 9000), passing th
 
 When you login to the auth service it will provide an auth token which will be used for subsequent requests.
 
+[Diagram](https://github.com/Siecje/nginx-auth-proxy/blob/master/steps.md)
+
 ## Adding a new service
 
 Add the nginx config to run the service locally on an available port.
-Configure the new service to authenticate via ```REMOTE_USER```.
-Add the required headers for the service to ```authenticator.py```
-Restart ```nginx```.
+Configure the new service to authenticate via `REMOTE_USER`.
+Add the required headers for the service to `authenticator.py`
+Restart `nginx`.
 
 ## Running
 
@@ -48,5 +50,5 @@ python authenticator.py &
 python service.py &
 ```
 
-When you visit ```http://localhost:8081``` you will need to login.
+When you visit `http://localhost:8081` you will need to login.
 As long as you use the username 'admin' you will be able to access the service.
diff --git a/authenticator.py b/authenticator.py
@@ -1,6 +1,6 @@
 import base64
 
-from flask import Flask, abort, make_response, render_template, request
+from flask import Flask, abort, make_response, redirect, render_template, request
 from flask_wtf import Form
 from wtforms import HiddenField, StringField, PasswordField
 from wtforms.validators import DataRequired
@@ -35,10 +35,13 @@ def ValidUser(user, password):
 
 @app.route('/', methods=['GET'])
 def authenticate():
-    token = request.headers.get('token')
+    token = request.cookies.get('token')
+    print(token)
     if token is None:
         abort(401)
     username, password = DecodeToken(token)
+    print(username)
+    print(password)
     if ValidUser(username, password) is not None:
         # Add headers to be authenticated with services
         resp = make_response()
@@ -48,9 +51,9 @@ def authenticate():
     abort(401)
 
 
-@app.route('/login/', methods=["GET", "POST"])
+@app.route('/login', methods=['GET', 'POST'])
 def login():
-    target = request.headers.get('X-Target', "")
+    target = request.headers.get('X-Original-URI', '')
     print 'Target: ' + target
     form = LoginForm(target = target)
     if form.validate_on_submit():
@@ -60,14 +63,15 @@ def login():
         target = form.target.data
         auth_token = ValidUser(username, password)
         if auth_token:
-            resp = make_response()
+            resp = make_response(redirect(target))
             resp.set_cookie('token', auth_token)
             print "before target"
             print target
             resp.headers['Location'] = target
             return resp
+
     return render_template('login.html', form=form)
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     app.run(port = AUTH_PORT)
diff --git a/nginx.conf b/nginx.conf
@@ -3,8 +3,6 @@ error_log /var/log/nginx/error.log debug;
 events { }
 
 http {
-    proxy_cache_path cache/  keys_zone=auth_cache:10m;
-
     # The application listens on port 9000 as implemented
     # in service.py.
     upstream backend {
@@ -31,24 +29,24 @@ http {
         }
 
         location /login {
-            proxy_pass http://authenticator/login;
-            proxy_set_header X-Target $request_uri;
+            #proxy_pass http://authenticator/login;
+            proxy_pass http://127.0.0.1:8000/login;
+            proxy_set_header X-Original-URI $request_uri;
         }
 
         location = /auth-proxy {
             internal;
 
             # The authenticator listens on port 8000, as set
             # in authenticator.py.
-            proxy_pass http://authenticator/;
+            #proxy_pass http://authenticator/;
+            proxy_pass http://127.0.0.1:8000/;
 
             proxy_pass_request_body off;
             proxy_set_header Content-Length "";
             # Login service returns a redirect to the original URI
             # and sets the cookie for the authenticator
-            proxy_set_header X-Target $request_uri;
-            proxy_cache auth_cache;
-            proxy_cache_valid 200 403 10m;
+            proxy_set_header X-Original-URI $request_uri;
         }
     }
 }
diff --git a/notes/Auth.graphml b/notes/Auth.graphml
diff --git a/notes/first.png b/notes/first.png
diff --git a/notes/second.png b/notes/second.png
diff --git a/notes/third.png b/notes/third.png
diff --git a/service.py b/service.py
@@ -8,8 +8,8 @@
 @app.route('/', methods=["GET"])
 def home():
     remote_user = request.headers.get('REMOTE_USER')
-    print remote_user
-    return "This is the service"
+    print(remote_user)
+    return "Hello {}, this is the service.".format(remote_user)
 
 
 if __name__ == "__main__":

diff --git a/steps.md b/steps.md
@@ -0,0 +1,7 @@
+# Steps to reaching a service
+
+![Step 1](https://raw.githubusercontent.com/siecje/nginx-auth-proxy/master/notes/first.png)
+
+![Step 2](https://raw.githubusercontent.com/siecje/nginx-auth-proxy/master/notes/second.png)
+
+![Step 3](https://raw.githubusercontent.com/siecje/nginx-auth-proxy/master/notes/third.png)