auth/authz or recommended way

[westurner]

Add support for authentication and authorization (auth/authz) to textual-web,
or an example/ of sufficient security to the docs,
or a warning that you should not host terminals over HTTP (with no login).

• standard security policy

  • MUST NOT run a terminal over HTTP without auth.
    • Justification: Why were SSH and TLS/HTTPS created when we already had telnet and HTTP 1.0?

• warning for the CLI user

  • textual-web is running without HTTPS.
    Autogenerating a --cert and assuming you meant --https
    Pass --http to allow running without HTTPS.

Presumably there's already a good enough way to add auth/authz to aiohttp apps?

Tasks

• Add HTTPS support and args for certs
• Autogenerate self-signed certs if none is specified?
• Warn if not launched w/ HTTPS and a cert
• Warn if not launched w/ auth
• Add auth: {basic, digest, or token-based,} authentication and authorization;

  {user:u,
   permissions: {id: "/route/1", permissons: [read,write,],
   tokens: [{id: "token1", permissions: [read], dateCreated:, validUntil:}],
   session_keys: [{id: "abcd1", dateCreated:, validUntil: ],
   }

• research auth/authz for aiohttp apps w/ and w/o a framework:

ASGI

• ASGI is like WSGI but for async web development (e.g. streaming HTTP requests and responses, WebSockets, WebRTC, messages)
• The ASGI Asynchronous Server Gateway Interface makes it possible to compose applications that handle message ingress and egress;
  (i.e. async web applications)
• https://asgi.readthedocs.io/en/latest/specs/main.html
• https://asgi.readthedocs.io/en/latest/specs/tls.html
• https://asgi.readthedocs.io/en/latest/specs/www.html
• https://github.com/etianen/aiohttp-wsgi

aiohttp-asgi

• src: https://github.com/mosquito/aiohttp-asgi

• README example setup: FastAPI + Starlette + aiohttp

  from aiohttp import web
  from fastapi import FastAPI
  from starlette.requests import Request as ASGIRequest
  
  from aiohttp_asgi import ASGIResource
  
  asgi_app = FastAPI()

• https://docs.aiohttp.org/en/stable/third_party.html

  • https://github.com/imbolc/aiohttp-login (archived)
  • https://github.com/kirlf/aiohttp-login-jwt (archived)
  • https://github.com/alex-oleshkevich/starsessions#built-in-stores
  • https://github.com/aio-libs/aiohttp-security
  • https://github.com/aio-libs/aiohttp-security/blob/master/aiohttp_security/__init__.py

• https://docs.authlib.org/en/latest/client/starlette.html

• https://www.starlette.dev/third-party-packages/

  • https://github.com/jockerz/Starlette-Login

• tornado
  https://github.com/tornadoweb/tornado

  • tornado supports asyncio natively.
  • it looks like it's possible to use tornado (for auth?) with aiohttp
  • https://www.tornadoweb.org/en/stable/guide/security.html#user-authentication
  • https://www.tornadoweb.org/en/stable/guide/security.html#third-party-authentication
  • https://www.tornadoweb.org/en/stable/auth.html#module-tornado.auth
  • https://github.com/tornadoweb/tornado/blob/master/tornado/auth.py

• xpresso:
  https://github.com/adriangb/xpresso

• fastapi:

  • https://docs.authlib.org/en/latest/client/fastapi.html
    • https://github.com/mjhea0/awesome-fastapi#auth
    • https://github.com/tomasvotava/fastapi-sso
    • https://github.com/pysnippet/fastapi-oauth2/
    • https://github.com/holgi/fastapi-permissions
    • https://github.com/fastapi-users/fastapi-users

[westurner]

alternatives that also have TLS by default:

• https://github.com/cs01/termpair

  • Secure web environment required (https)

• https://github.com/yudai/gotty

  // Enable TSL/SSL by default
  enable_tls = true
  

• https://github.com/spolu/warp#security
• jupyter
• jupyter_console

  pip install jupyter_console
  jupyter kernelspec list
  jupyter console --kernel=python
  jupyter console --kernel=bash

• https://aiohttp-session.readthedocs.io/en/stable/reference.html#aiohttp_session.cookie_storage.EncryptedCookieStorage
• https://aiohttp-session.readthedocs.io/en/stable/reference.html#nacl-storage
• https://docs.aiohttp.org/en/stable/deployment.html#proxy-through-nginx-ssl
  • X-Forwarded-Host
• https://docs.aiohttp.org/en/latest/web_advanced.html#deploying-behind-a-proxy
• https://github.com/aio-libs/aiohttp-remotes
  • https://aiohttp-remotes.readthedocs.io/en/stable/api.html#aiohttp_remotes.Secure
  • X-Forwarded-Host,

alternatives that have no or other encryption by default:

• https://mosh.org/#techinfo > "How Mosh works"
• .
• jupyter_console --ip= --transport=
• https://jupyterlab.readthedocs.io/en/stable/user/terminal.html
• .
• ENH: (oh, there could be a textual jupyter client app) (but this is textual-web)
  • there's already ipytextual for embedding textual in jupyter notebooks
• .
• https://github.com/davidbrochart/ipytextual
• .
• textual-web could probably run within jupyter-server; next to jupyterlab at /lab and /static/
• https://www.google.com/search?q=how+to+wrap+an+aiohttp+app+as+a+jupyter-server+extension
• https://jupyter-server.readthedocs.io/en/latest/operators/security.html#security-in-the-jupyter-server
• https://jupyter-server.readthedocs.io/en/latest/developers/extensions.html#authoring-a-configurable-extension-application
• .
• https://stackoverflow.com/questions/34759841/using-tornado-with-aiohttp-or-other-asyncio-based-libraries
• https://github.com/plter/tornado_asgi_handler