Documentation on how to prevent anyone from uploading files

[feefladder]

This may be already solved, or considered trivial by more experienced people, but I just want to host documentation for a project of mine.

If I now host my Docat website and link to a project, any user could click the home icon:

and then upload anything, since that does not require a token of any sort, if the version name is different:

besides this being a possible security risk I also don't want anyone to be able to upload files.

Otherwise, anyone would also be able to upload files using curl:

curl -X POST -F "[email protected]" http://localhost:8000/api/existing-project/none-existing-version

Either there is some obvious difference between my localhost website and a public one, but if anyone can also upload files from anywhere, I think this should be solved?

[feefladder]

I've confirmed that the website is the same when using ssh.localhost.run and then going to that address.

So the security risk is somewhat mitigated:

but still there is a warning that is being ignored!

[feefladder]

this may be superficially solved by #123, otherwise something like #36, but that seems a bit advanced... If there is some setting that would enable people to only access a specific part of the website like hostname.io/#/awesome-project/whatever that could be enabled and disabled that would be a solution

[randombenj]

Thanks for the in depth digging! Our main use case was to host docat behind some company firewall where you 'trust' everyone. There was a very deliberate trade off between simplicity/security so we would not recommend to host docat exposed to the internet as is (see: #36).

If you really want to host it publicly you could secure all http post requests with nginx basic auth:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

[feefladder]

Ok, so I figured it out, branch. However, I found that editing files in the Docker container was quite a hassle, so I ended up cloning the repo and building my own container, which is much more involved than it should be.

Then I the following further options:

1. Make Basic Auth for api the default for Docat
2. Make a config option in the docker container that enables/disables basic auth - not sure how to do this
3. Provide two separate containers, one with basic auth, one without
4. Provide only the unprotected container with extensive docs on how to protect it.
5. Add a shell script that makes necessary changes

For the container with basic auth, apache2-utils should be added to the apk list, this is arguably easier than copying a .htpasswd file.

[cocoonkid]

I recommend you use Authelia or something similar to easily manage access.

This is not really in the project scop imho.

[fliiiix]

@feefladder you where on the right track but there is not really a need to build your own container.
There preferred solution to this problem is to host the docker container behind a reverse proxy where you
can implement basic auth or what ever else of restrictions you want to have.

And the other option is to override and adjust the NGINX config inside the docker container.
I documented both in the wiki for future use:
https://github.com/docat-org/docat/wiki/HTTP-Basic-Auth