Add access check to middleware #52
Conversation
|
johtso
force-pushed
the
access-check-middleware
branch
from
6090887 to
46757fc
Compare
|
@JacobLinCool thoughts on this? having a tool like this open to the world by default gives me the heebie jeebies :) |
|
Hi @johtso, Sorry for the late reply; I haven't had time to check this until now. I agree with you that this kind of management tool should be protected by default. I have just a few questions to ask. At https://github.com/JacobLinCool/d1-manager/pull/52/files#diff-b5aa13ce0a61c3f166000471d0729aa6a8e57292fdbd8d88452443502e4b9a4aR26-R29, I see What will happen if the deployer forgets to set |
|
Yeah definitely needs some validation on the env vars. Currently would just throw an error resulting in a redirection to the login page. I like the idea of a helpful page if misconfigured. Perhaps there could be a DISABLE_ZERO_TRUST variable instead of IS_LOCAL that can be set in the dev env file and also used if someone really wants to expose their db to the world (not sure why you would though) If that's not set and domain and aud aren't set, we redirect to a page instructing to set them. Also worth checking what happens if they're set, but set to bad values.. |
WIP, Haven't quite got this working yet, not too familiar with SvelteKit.Edit: Should be working now!
Had to copy and paste code from the pages plugin because it's not exported.
Had to edit it to look for the JWT in the cookies header because sometimes that's the only place it's provided. Seems a little odd that I had to do that?
ACCESS_AUD and ACCESS_DOMAIN env vars need to be set.
#51