Skip to content

feat(auth): add option to disable authentication for external OAuth integration #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
thenilayagarwal wants to merge 1 commit into
base: main
Choose a base branch
from
+38 −6
Open

feat(auth): add option to disable authentication for external OAuth integration #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ nointernet: true/false
risectldir: string
ee:
code: string
auth:
disable: true/false
server:
init: string
host: string
Expand Down Expand Up @@ -47,6 +49,7 @@ You can override the YAML configuration settings by using environment variables.
| `RCONSOLE_NOINTERNET` | `true/false` | (Optional) Whether to disable internet access, default is false. If public internet is not allowed, set it to true. Then mount risectl files to <risectl dir>/<version>/risectl. |
| `RCONSOLE_RISECTLDIR` | `string` | (Optional) The path of the directory to store the risectl files, default is "$HOME/.risectl" |
| `RCONSOLE_EE_CODE` | `string` | (Optional) The activation code of the enterprise edition, if not set, the enterprise edition will be disabled. |
| `RCONSOLE_AUTH_DISABLE` | `true/false` | (Optional) Whether to disable authentication, default is false. When disabled, all API endpoints will be accessible without authentication. Useful when using an external authentication proxy (e.g., OAuth2 proxy). WARNING: Only use in trusted environments or behind a secure proxy. |
| `RCONSOLE_SERVER_INIT` | `string` | (Optional) The path of file to store the initialization data, if not set, skip the initialization |
| `RCONSOLE_SERVER_HOST` | `string` | (Optional) The host of the anclax server. |
| `RCONSOLE_SERVER_PORT` | `integer` | (Optional) The port of the anclax server, default is 8020 |
Expand Down
11 changes: 11 additions & 0 deletions pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ type Root struct {
Password string `yaml:"password"`
}

type AuthConfig struct {
// (Optional) Whether to disable authentication, default is false.
// When disabled, all API endpoints will be accessible without authentication.
// This is useful when using an external authentication proxy (e.g., OAuth2 proxy).
// WARNING: Only use this in trusted environments or behind a secure proxy.
Disable bool `yaml:"disable,omitempty"`
}

type Config struct {
// (Optional) The path of file to store the initialization data, if not set, skip the initialization
Init string `yaml:"init,omitempty"`
Expand All @@ -30,6 +38,9 @@ type Config struct {

Server anclax_config.Config `yaml:"server,omitempty"`

// Authentication configuration
Auth AuthConfig `yaml:"auth,omitempty"`

// (Optional) The alias of the server endpoint, it is used in the API endpoint of the web UI.
// It should start with http:// or https:// and end with /api/v1 in normal case. e.g. https://mydomain.app/api/v1
// If not set, the endpoint will be http://host:port. You can also add path to the alias, e.g. http://endpointalias/my/root/path.
Expand Down
26 changes: 22 additions & 4 deletions pkg/controller/validator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,33 @@ import (

"github.com/cloudcarver/anclax/pkg/auth"
"github.com/gofiber/fiber/v2"
"github.com/risingwavelabs/risingwave-console/pkg/config"
"github.com/risingwavelabs/risingwave-console/pkg/zcore/model"
"github.com/risingwavelabs/risingwave-console/pkg/zgen/apigen"
"github.com/risingwavelabs/risingwave-console/pkg/zgen/querier"
)

// DefaultOrgID is used when authentication is disabled
const DefaultOrgID int32 = 1

type Validator struct {
model model.ModelInterface
auth auth.AuthInterface
model model.ModelInterface
auth auth.AuthInterface
authDisable bool
}

func NewValidator(model model.ModelInterface, auth auth.AuthInterface) apigen.Validator {
return &Validator{model: model, auth: auth}
func NewValidator(model model.ModelInterface, auth auth.AuthInterface, cfg *config.Config) apigen.Validator {
return &Validator{
model: model,
auth: auth,
authDisable: cfg.Auth.Disable,
}
}

func (v *Validator) GetOrgID(c *fiber.Ctx) int32 {
if v.authDisable {
return DefaultOrgID
}
return c.Locals(auth.ContextKeyOrgID).(int32)
}

Expand All @@ -35,6 +47,12 @@ func (v *Validator) OwnDatabase(c *fiber.Ctx, orgID int32, databaseID int32) err
}

func (v *Validator) AuthFunc(c *fiber.Ctx) error {
if v.authDisable {
// When auth is disabled, set the default OrgID in context
// so that downstream handlers can still access it
c.Locals(auth.ContextKeyOrgID, DefaultOrgID)
return nil
}
return v.auth.Authfunc(c)
}

Expand Down
4 changes: 2 additions & 2 deletions wire/wire_gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.