From 0f709b0a985272502545797992299f56d93baf27 Mon Sep 17 00:00:00 2001 From: Michael Housh Date: Fri, 11 Apr 2025 11:05:40 -0400 Subject: [PATCH] feat: Adds pocket id authentication to caddy. --- Caddyfile | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++--- Dockerfile | 3 ++- 2 files changed, 54 insertions(+), 4 deletions(-) diff --git a/Caddyfile b/Caddyfile index dcc4e80..40ac390 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,4 +1,53 @@ -http://localhost { - root * /app - file_server +{ + # Port to listen on + http_port 80 + + # Configure caddy-security. + order authenticate before respond + security { + oauth identity provider generic { + delay_start 3 + realm generic + driver generic + client_id {env.OAUTH_CLIENT_ID} # Replace with your own client ID + client_secret {env.OAUTH_CLIENT_SECRET} # Replace with your own client secret + scopes openid email profile + base_auth_url https://id.housh.dev + metadata_url https://id.housh.dev/.well-known/openid-configuration + } + + authentication portal myportal { + crypto default token lifetime 3600 # Seconds until you have to re-authenticate + enable identity provider generic + cookie insecure off # Set to "on" if you're not using HTTPS + + transform user { + match realm generic + action add role user + } + } + + authorization policy mypolicy { + set auth url /caddy-security/oauth2/generic + allow roles user + inject headers with claims + } + } } + +http://localhost { + @auth { + path /caddy-security/* + } + + route @auth { + authenticate with myportal + } + + route /* { + authorize with mypolicy + root * /app + file_server + } +} + diff --git a/Dockerfile b/Dockerfile index 7ea517f..61dedf0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,8 @@ RUN npx -y pagefind --site deploy # ================================================== # Run Image # ================================================== -FROM caddy:2.9.1-alpine +#FROM caddy:2.9.1-alpine +FROM ghcr.io/authcrunch/authcrunch:latest WORKDIR /app