Introduce security mode option

2025-05-24 02:02:36 -04:00 · 2024-03-09 13:40:42 +01:00 · 2024-03-09 13:40:42 +01:00 · 041abb732d
commit 041abb732d
parent 9ee07794a8
5 changed files with 84 additions and 17 deletions
--- a/.env.example
+++ b/.env.example
@ -1,35 +1,59 @@
+# vi: ft=sh
+# shellcheck disable=SC2034
+
+
 # Useful config options

 # Library root can either be an absolute path or a relative path to your docker-compose.yml file.
 LIBRARY_ROOT=./video
 CACHE_ROOT=/tmp/kyoo_cache
 LIBRARY_LANGUAGES=en
+# A pattern (regex) to ignore video files.
+LIBRARY_IGNORE_PATTERN=".*/[dD]ownloads?/.*"
+
+
+# Available modes: open, logged, verif, invite
+#  open means anyone can use your instance, even without an account (guest mode is enabled). To specify guest permissions, see UNLOGGED_PERMISSIONS.
+#  verif means anyone can create an account but their account needs to be manually verified by an admin before they can use kyoo
+#  invite means only created and verified accounts can access your instance. to allow someone else to use your instance, you need to invite them.
+SECURITY_MODE=verif
+
+# Specify permissions of guest accounts. By default, if security mode is not open, this is empty.
+# You can specify this even if security mode is not open to allow guests users to see your
+# collection without behing able to play videos for example.
+# Default if SECURITY_MODE is open:
+# UNLOGGED_PERMISSIONS=overall.read,overall.play
+# Default if SECURITY_MODE is not open:
+# UNLOGGED_PERMISSIONS=
+# To allow anyone to browse your collection but prevent them from playing a video:
+# UNLOGGED_PERMISSIONS=overall.read
+
+# Specify permissions of new accounts.
+# DEFAULT_PERMISSIONS=overall.read,overall.play
+
+
 # Hardware transcoding (equivalent of --profile docker compose option).
 COMPOSE_PROFILES= # vaapi or qsv or nvidia
 # the preset used during transcode. faster means worst quality, you can probably use a slower preset with hwaccels
 # warning: using vaapi hwaccel disable presets (they are not supported).
 GOCODER_PRESET=fast

-# A pattern (regex) to ignore video files.
-LIBRARY_IGNORE_PATTERN=.*/[dD]ownloads?/.*

 # The following two values should be set to a random sequence of characters.
 # You MUST change thoses when installing kyoo (for security)
-AUTHENTICATION_SECRET=4c@mraGB!KRfF@kpS8739y9FcHemKxBsqqxLbdR?
+AUTHENTICATION_SECRET="4c@mraGB!KRfF@kpS8739y9FcHemKxBsqqxLbdR?"
 # You can input multiple api keys separated by a ,
 KYOO_APIKEYS=t7H5!@4iMNsAaSJQ49pat4jprJgTcF656if#J3

-DEFAULT_PERMISSIONS=overall.read,overall.play
-UNLOGGED_PERMISSIONS=overall.read,overall.play
-
 THEMOVIEDB_APIKEY=

+# The url you can use to reach your kyoo instance. This is used during oidc to redirect users to your instance.
 PUBLIC_URL=http://localhost:5000
+
 # Use a builtin oidc service (google or discord):
 # When you create a client_id, secret combo you may be asked for a redirect url. You need to specify https://YOUR-PUBLIC-URL/api/auth/logged/YOUR-SERVICE-NAME
 # OIDC_DISCORD_CLIENTID=
 # OIDC_DISCORD_SECRET=
-
 # Or add your custom one:
 OIDC_SERVICE_NAME=YourPrettyName
 OIDC_SERVICE_LOGO=https://url-of-your-logo.com
@ -58,5 +82,3 @@ POSTGRES_PORT=5432

 MEILI_HOST="http://meilisearch:7700"
 MEILI_MASTER_KEY="ghvjkgisbgkbgskegblfqbgjkebbhgwkjfb"
-
-# vi: ft=sh
--- a/back/src/Kyoo.Authentication/AuthenticationModule.cs
+++ b/back/src/Kyoo.Authentication/AuthenticationModule.cs
@ -16,6 +16,7 @@
 // You should have received a copy of the GNU General Public License
 // along with Kyoo. If not, see <https://www.gnu.org/licenses/>.

+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text;
@ -65,15 +66,14 @@ namespace Kyoo.Authentication
 				"AUTHENTICATION_SECRET",
 				AuthenticationOption.DefaultSecret
 			)!;
-			PermissionOption permissions =
+			PermissionOption options =
 				new()
 				{
-					Default = _configuration
-						.GetValue("UNLOGGED_PERMISSIONS", "overall.read")!
-						.Split(','),
+					Default = _configuration.GetValue("UNLOGGED_PERMISSIONS", "")!.Split(','),
 					NewUser = _configuration
-						.GetValue("DEFAULT_PERMISSIONS", "overall.read")!
+						.GetValue("DEFAULT_PERMISSIONS", "overall.read,overall.play")!
 						.Split(','),
+					SecurityMode = _configuration.GetValue("SECURITY_MODE", SecurityMode.Verif),
 					PublicUrl =
 						_configuration.GetValue<string?>("PUBLIC_URL") ?? "http://localhost:8901",
 					ApiKeys = _configuration.GetValue("KYOO_APIKEYS", string.Empty)!.Split(','),
@ -128,12 +128,19 @@ namespace Kyoo.Authentication
 										return acc;
 								}
 								return acc;
-							}
+						}
 						),
 				};
-			services.AddSingleton(permissions);
+			if (!options.Default.Any())
+			{
+				options.Default =
+					options.SecurityMode == SecurityMode.Open
+						? new string[] {"overall.read", "overall.play"}
+						: Array.Empty<string>();
+			}
+			services.AddSingleton(options);
 			services.AddSingleton(
-				new AuthenticationOption() { Secret = secret, Permissions = permissions, }
+				new AuthenticationOption() { Secret = secret, Permissions = options, }
 			);

 			// TODO handle direct-videos with bearers (probably add a cookie and a app.Use to translate that for videos)
--- a/back/src/Kyoo.Authentication/Models/DTO/ServerInfo.cs
+++ b/back/src/Kyoo.Authentication/Models/DTO/ServerInfo.cs
@ -32,11 +32,21 @@ public class ServerInfo
 	/// </summary>
 	public string PublicUrl { get; set; }

+	/// <summary>
+	/// Which security mode was chosen for this instance.
+	/// </summary>
+	public SecurityMode SecurityMode { get; set; }
+
 	/// <summary>
 	/// True if guest accounts are allowed on this instance.
 	/// </summary>
 	public bool AllowGuests { get; set; }

+	/// <summary>
+	/// True if a user is able to register.
+	/// </summary>
+	public bool AllowRegister { get; set; }
+
 	/// <summary>
 	/// The list of permissions available for the guest account.
 	/// </summary>
--- a/back/src/Kyoo.Authentication/Models/Options/PermissionOption.cs
+++ b/back/src/Kyoo.Authentication/Models/Options/PermissionOption.cs
@ -23,6 +23,27 @@ using Kyoo.Abstractions.Models.Permissions;

 namespace Kyoo.Authentication.Models;

+public enum SecurityMode
+{
+	/// <summary>
+	/// Anyone can use your instance, even without an account (guest mode is enabled).
+	/// To specify guest permissions, see UNLOGGED_PERMISSIONS.
+	/// </summary>
+	Open,
+
+	/// <summary>
+	/// Anyone can create an account but their account needs to be manually verified
+	/// by an admin before they can use kyoo.
+	/// </summary>
+	Verif,
+
+	/// <summary>
+	/// Only created and verified accounts can access your instance. To allow someone else
+	/// to use your instance, you need to invite them.
+	/// </summary>
+	Invite,
+}
+
 /// <summary>
 /// Permission options.
 /// </summary>
@ -33,6 +54,11 @@ public class PermissionOption
 	/// </summary>
 	public const string Path = "authentication:permissions";

+	/// <summary>
+	/// Which security mode was chosen for this instance.
+	/// </summary>
+	public SecurityMode SecurityMode { get; set; }
+
 	/// <summary>
 	/// The default permissions that will be given to a non-connected user.
 	/// </summary>
--- a/back/src/Kyoo.Authentication/Views/InfoApi.cs
+++ b/back/src/Kyoo.Authentication/Views/InfoApi.cs
@ -38,7 +38,9 @@ public class InfoApi(PermissionOption options) : ControllerBase
 		return Ok(
 			new ServerInfo()
 			{
+				SecurityMode = options.SecurityMode,
 				AllowGuests = options.Default.Any(),
+				AllowRegister = options.SecurityMode != SecurityMode.Invite,
 				GuestPermissions = options.Default.ToList(),
 				PublicUrl = options.PublicUrl,
 				Oidc = options