Page MenuHomekolab.org

Proxy authorization for irony/syncroton
Needs ReviewPublic

Authored by mollekopf on Oct 28 2021, 9:10 PM.

Diff Detail

Repository
rK kolab
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 37073
Build 14792: arc lint + arc unit

Event Timeline

mollekopf requested review of this revision.Oct 28 2021, 9:10 PM
mollekopf created this revision.
mollekopf added a reviewer: Restricted Project.Oct 28 2021, 9:17 PM

Please note this builds on some other patches for the docker related stuff.

machniak requested changes to this revision.Oct 29 2021, 10:06 AM
machniak added a subscriber: machniak.

Aren't we authenticate the user two times this way? Once in nginx and once in syncroton/iRony? Should we have an option in syncroton/iRony to disable authentication?

docker/proxy/rootfs/etc/nginx/nginx.conf
88

Looking at syncroton code all requests are being authenticated.

src/app/Http/Controllers/API/V4/NGINXController.php
33–34

For activesync we have to support user\domain syntax. https://git.kolab.org/diffusion/S/browse/master/lib/kolab_sync.php$123

This revision now requires changes to proceed.Oct 29 2021, 10:06 AM

Aren't we authenticate the user two times this way? Once in nginx and once in syncroton/iRony? Should we have an option in syncroton/iRony to disable authentication?

Yes we are authenticating twice. I don't think we should change that (just like we don't for imap).

Ultimately we should plug in our 2fa capable authentication in saslauthd, at which point we no longer require this nginx variant, and in the meantime I don't think we need to introduce further options for what doesn't seem really problematic anyways.

mollekopf added inline comments.Oct 29 2021, 5:34 PM
docker/proxy/rootfs/etc/nginx/nginx.conf
88

I think outlook on android tried to do some unauthenticated stuff, but as you say, syncroton doesn't support that anyways, so I guess that should be fine.

src/app/Http/Controllers/API/V4/NGINXController.php
33–34

I'll look into that.

mollekopf updated this revision to Diff 8615.Mon, Nov 15, 10:04 AM

Now with domain.tld\username normalization