Part of a app/website outside SSO

Discuss

Hi!
Is it possible to share a specific part of a website outside SSO? What I mean is, I would like to have access to the application in the domain example.com restricted only to SSO, but to make a certain section publicly accessible if someone visits the address example.com/public.

Hello and welcome!

It’s possible with the permissions mechanism when writing something like this in the manifest nextcloud_ynh/manifest.toml at 05f2feff360f8cc38e883eda9cbb5ec3c0ea8e77 · YunoHost-Apps/nextcloud_ynh · GitHub

Where can I find this? I didn’t specify clearly, but I mean an already installed application, in this case Microbin.

So indeed everything goes through the sso if you didn’t let access to visitor

Which part of the url would you like to set outside of the sso? Could this benefit all the YunoHost users?

It may be possible to override the /etc/ssowat/json.conf editing the /etc/ssowat/json.conf.persistent:

{

"permissions": {

        "myapp.restricted": {
            "auth_header": false,
            "public": false, #restricted access
            "uris": [
                "mydomain.tld/files" # the sso protected path
            ],
            "users": [
# list of allowed users
            ]
        },
        }



}

I think this function would also be useful for others. The idea is that I would like the public part to be DOMAIN/p/* (or another value defined in an environment variable MICROBIN_SHORT_PATH). This is so that it can be set so only logged-in users can create links, but everyone can access them.

Theoretically, it looks good, but in practice, it’s the opposite because I want the main domain to be public, but /p to be public

You mean “the main domain to be private” ? You can try this but I’m not sure it will work as some files must be loaded from the domain root.

{

"permissions": {

        "myapp.unrestricted": {
            "auth_header": false,
            "public": true, # unrestricted access
            "uris": [
                "mydomain.tld/p"
            ],
            "users": [
# list of allowed users
            ]
        },

        "myapp.restricted": {
            "auth_header": false,
            "public": false, #restricted access
            "uris": [
                "mydomain.tld/" # the sso protected path
            ],
            "users": [
# list of allowed users
            ]
        },
        }



}

“auth_header” may be adapted according to your app’s setting.

It works very well! Thank you for your help!

If you find it useful, a PR will be welcome

I don’t think it will work if you clear cookies… Sorry…

Unfortunately, I don’t know how to add it so that it can be modified from the interface or the cli

I simply modified the json.conf.persistent file, and I think it should not be enabled by default, and the user should have the option to disable it.

When I opened the incognito window, it worked

Yes, it works if you unprotect the /raw path and provide the full logfile link.

Yes, it works if you unprotect the /raw path and provide the full logfile link.
Sin raw log files do not need css, img etc, it does the trick.

I did not share the path /raw. I only modified the file in this way:

{

    "permissions": {

        "microbin.paste": {

        "auth_header": false,

        "public": true,

        "uris": [

            "example.com/upload", // CHANGED DOMAIN

            "example.com/file/",

            "example.com/static/"

            ],

        "users": [

            "miersetnik"

            ]

        },

    "microbin.main": {

        "auth_header": false,

        "public": false,

        "uris": [

            "example.com"

            ],

        "users": [

            "miersetnik"

            ]

        }

    }

}

So I think I only gave public access to the paths /upload, /file/ and /static

Ok. So there’s a /static/ folder allowing loading style. You can also add /raw/ to allow access to raw format.
Issue solved

A small update. I modified this file again because it turned out that it only works with file uploads and not with text uploads.

{
"permissions": {
    "microbin.paste": {
    "auth_header": false,
    "public": true,
    "uris": [
        "example.com/p",        // CHANGED DOMAIN
        "example.com/upload",
        "example.com/file/",
        "example.com/static/"
        ],
    "users": [
        "miersetnik"
        ]
    },
    "microbin.main": {

        "auth_header": false,
        "public": false,
        "uris": [
            "example.com"
            ],
        "users": [
            "miersetnik"
         ]
    }
}
}

I would gladly create a PR adding the ability to modify these permissions within the interface or via the cli. However, I have no idea which or how to modify the files necessary to make this work.

@Tho @jarod5001
I’m considering two possible changes. Which one do you think is the most appropriate ?
a) setting access to root only for users and modifying nginx.conf adding

location ~ ^/(upload|static|raw|qr|p)/ {
  access_by_lua_block { return }
  proxy_pass http://127.0.0.1:__PORT__;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}

and an option in config_panel to switch between allowing access to shared files and making the whole site private

b) modifying the manifest…

    [resources.permissions]
    main.url = "/"
    upload.url = "/upload"
    upload.show_tile = false   
    upload.allowed = "visitors"
    static.url = "/static"
    static.show_tile = false   
    static.allowed = "visitors"
    raw.url = "/raw"
    raw.show_tile = false   
    raw.allowed = "visitors"
    qr.url = "/qr"
    qr.show_tile = false   
    qr.allowed = "visitors"
    p.url = "/p"
    p.show_tile = false