k3nny
f12d89f3da
Implement comprehensive authentication system with support for
Basic Auth, Flask-Login, and OAuth2 providers.
Features:
- Pluggable architecture via factory pattern
- Multiple authentication providers:
* None: No authentication (development/testing)
* Basic Auth: HTTP Basic with bcrypt support
* Flask-Login: Session-based with multiple users
* OAuth2: Google, GitHub, GitLab, and generic providers
- Decorator-based route protection (@auth.require_auth)
- User authorization by domain or email (OAuth)
- bcrypt password hashing support
- Comprehensive documentation and examples
Components:
- libtisbackup/auth/__init__.py: Factory function and exports
- libtisbackup/auth/base.py: Base provider interface
- libtisbackup/auth/basic_auth.py: HTTP Basic Auth implementation
- libtisbackup/auth/flask_login_auth.py: Flask-Login implementation
- libtisbackup/auth/oauth_auth.py: OAuth2 implementation
- libtisbackup/auth/example_integration.py: Integration examples
- libtisbackup/auth/README.md: API reference and examples
Documentation:
- AUTHENTICATION.md: Complete authentication guide
* Setup instructions for each provider
* Configuration examples
* Security best practices
* Troubleshooting guide
* Migration guide
- samples/auth-config-examples.ini: Configuration templates
Dependencies:
- Add optional dependencies in pyproject.toml:
* auth-basic: bcrypt>=4.0.0
* auth-login: flask-login>=0.6.0, bcrypt>=4.0.0
* auth-oauth: authlib>=1.3.0, requests>=2.32.0
* auth-all: All auth providers
Installation:
```bash
# Install specific provider
uv sync --extra auth-basic
# Install all providers
uv sync --extra auth-all
```
Usage:
```python
from libtisbackup.auth import get_auth_provider
# Initialize
auth = get_auth_provider("basic", {
"username": "admin",
"password": "$2b$12$...",
"use_bcrypt": True
})
auth.init_app(app)
# Protect routes
@app.route("/")
@auth.require_auth
def index():
user = auth.get_current_user()
return f"Hello {user['username']}"
```
Security features:
- bcrypt password hashing (work factor 12)
- OAuth domain/user restrictions
- Session-based authentication
- Clear separation of concerns
- Environment variable support for secrets
OAuth providers supported:
- Google (OpenID Connect)
- GitHub
- GitLab
- Generic OAuth2 provider
Breaking change: None - new feature, backward compatible
Users can continue without authentication (type=none)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
131 lines
4.2 KiB
INI
131 lines
4.2 KiB
INI
# TISBackup Authentication Configuration Examples
|
|
# Add to tisbackup_gui.ini under [authentication] section
|
|
|
|
# ============================================
|
|
# Option 1: No Authentication (NOT RECOMMENDED)
|
|
# ============================================
|
|
[authentication]
|
|
type = none
|
|
|
|
|
|
# ============================================
|
|
# Option 2: HTTP Basic Authentication
|
|
# ============================================
|
|
[authentication]
|
|
type = basic
|
|
username = admin
|
|
# Plain text password (NOT RECOMMENDED for production)
|
|
password = changeme
|
|
use_bcrypt = False
|
|
realm = TISBackup Admin
|
|
|
|
# RECOMMENDED: Use bcrypt hash
|
|
# Generate hash with: python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"
|
|
[authentication]
|
|
type = basic
|
|
username = admin
|
|
password = $2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5GyYWv.5qVQK6
|
|
use_bcrypt = True
|
|
realm = TISBackup Admin
|
|
|
|
|
|
# ============================================
|
|
# Option 3: Flask-Login (Username/Password with Sessions)
|
|
# ============================================
|
|
[authentication]
|
|
type = flask-login
|
|
# Users can be defined inline or in a file
|
|
users_file = /etc/tis/users.txt
|
|
use_bcrypt = True
|
|
login_view = login
|
|
|
|
# User file format (users.txt):
|
|
# username:bcrypt_password_hash
|
|
# Example:
|
|
# admin:$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5GyYWv.5qVQK6
|
|
# operator:$2b$12$abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNO
|
|
|
|
|
|
# ============================================
|
|
# Option 4: OAuth2 - Google
|
|
# ============================================
|
|
[authentication]
|
|
type = oauth
|
|
provider = google
|
|
client_id = your-client-id.apps.googleusercontent.com
|
|
client_secret = your-client-secret
|
|
redirect_uri = http://localhost:8080/oauth/callback
|
|
# Restrict to specific domains
|
|
authorized_domains = example.com,mycompany.com
|
|
# Or restrict to specific users
|
|
authorized_users = admin@example.com,backup-admin@example.com
|
|
|
|
# To get Google OAuth credentials:
|
|
# 1. Go to https://console.cloud.google.com/apis/credentials
|
|
# 2. Create OAuth 2.0 Client ID
|
|
# 3. Add authorized redirect URI: http://your-server:8080/oauth/callback
|
|
|
|
|
|
# ============================================
|
|
# Option 5: OAuth2 - GitHub
|
|
# ============================================
|
|
[authentication]
|
|
type = oauth
|
|
provider = github
|
|
client_id = your-github-client-id
|
|
client_secret = your-github-client-secret
|
|
redirect_uri = http://localhost:8080/oauth/callback
|
|
# Restrict to specific GitHub users (by email)
|
|
authorized_users = admin@example.com
|
|
|
|
# To get GitHub OAuth credentials:
|
|
# 1. Go to Settings > Developer settings > OAuth Apps
|
|
# 2. Register a new application
|
|
# 3. Set Authorization callback URL: http://your-server:8080/oauth/callback
|
|
|
|
|
|
# ============================================
|
|
# Option 6: OAuth2 - GitLab
|
|
# ============================================
|
|
[authentication]
|
|
type = oauth
|
|
provider = gitlab
|
|
client_id = your-gitlab-application-id
|
|
client_secret = your-gitlab-secret
|
|
redirect_uri = http://localhost:8080/oauth/callback
|
|
authorized_domains = example.com
|
|
|
|
# To get GitLab OAuth credentials:
|
|
# 1. Go to User Settings > Applications
|
|
# 2. Create new application with scopes: read_user, email
|
|
# 3. Set Redirect URI: http://your-server:8080/oauth/callback
|
|
|
|
|
|
# ============================================
|
|
# Option 7: OAuth2 - Generic Provider
|
|
# ============================================
|
|
[authentication]
|
|
type = oauth
|
|
provider = generic
|
|
client_id = your-client-id
|
|
client_secret = your-client-secret
|
|
redirect_uri = http://localhost:8080/oauth/callback
|
|
# Custom OAuth endpoints
|
|
authorization_endpoint = https://auth.example.com/oauth/authorize
|
|
token_endpoint = https://auth.example.com/oauth/token
|
|
userinfo_endpoint = https://auth.example.com/oauth/userinfo
|
|
scopes = openid,email,profile
|
|
authorized_domains = example.com
|
|
|
|
|
|
# ============================================
|
|
# Security Notes
|
|
# ============================================
|
|
# 1. Always use HTTPS in production (reverse proxy with TLS)
|
|
# 2. Set strong Flask secret_key via TISBACKUP_SECRET_KEY env var
|
|
# 3. For Basic Auth, always use bcrypt hashed passwords
|
|
# 4. For OAuth, restrict access via authorized_domains or authorized_users
|
|
# 5. Keep client secrets secure and never commit to version control
|
|
# 6. Regularly rotate OAuth client secrets
|
|
# 7. Use environment variables for sensitive data when possible
|