Requiring Forms authentication to list/download packages
See original GitHub issueI’m trying to secure a gallery (both the user-visible website and the api) and will not be able to use windows authentication. I’d like to limit package listing and download to the accounts that people can register for on the site. I tried setting things up as forms authentication with the following configuration entry, but after filling in my account info on the /users/account/logon page and hitting submit, I get redirected back to the logon page.
<authentication mode="Forms">
<forms loginUrl="/users/account/Logon"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
From a quick look at the gallery code, the LogOn() method on AuthenticationController uses SignIn() as the method to take the posted information, which doesn’t seem to play nicely with Forms authentication. If I rename the SignIn() method to LogOn(), Forms authentication and requiring a logon works for the website, but api access (via the Visual Studio Extension) never prompts me to log-on, it just sits there spinning.
I haven’t tracked down exactly what’s going on with the Visual Studio Extension yet, but I wanted to check to see if there’s an easier option to turn off anonymous listing/downloading of packages that I just didn’t see documented before I dug into the issue further.
Issue Analytics
- State:
- Created 9 years ago
- Comments:20 (6 by maintainers)
Top GitHub Comments
+++1 Incredible, can it really be true that 2016 nobody has a functioning NuGet Gallery WITH authentication running!? When really NOT, then please PING me and we start a new fork for this! ::: Beautiful 3rd advent! :::
Definitely IIS hijacking the redirect. Can you check the ApiKeyAuthenticationHandler? We use an explicit 403 there to make the authentication trigger.