Password protection

[evilmrburns]

I've moved my mx records over, and inbucket is working great for me.

But, as a suggestion for a feature, what about password protection? I'm not sure I want to run this publicly, but being able to password protect it would be great. Or even if I do decide to keep it open, I'd love to be able to toss the monitor or status under password protection. I've disabled monitor for now, but it would be nice to have a way for admin to be able to access that themselves.

Again, keep up the good work, almost can't believe people like you make this for fun for free. Great job.

[wjx0912]

very good project! i need Password protection also, does author consider it?

[evilmrburns]

Really, I know nothing about golang, but I tried some auth stuff in my repo, tried a few things, but it looks like since this project is not using the listenandserve, that the tutorials aren't meant for it. I can see that I'm pulling my code, but when the specific pages are rendered, I can't get it to hit the password protection.

I could see a variable set to password protect those pages, check the variable, and use a .htaccess file to be able to set the password from console and keep a list of allowed users. I just don't have the capabilities in golang to be able to submit the changes, sorry wjx.

[jhillyerd]

Thanks for the kind words. :)

I'm OK with adding a global password for all of the Inbucket web UI. This would probably implemented as a hashed password stored in an environment variable.

I'm not OK with password protecting individual mailboxes. Inbucket literally deletes the entire mailbox when it is empty, so there is nowhere to keep the password.

@evilmrburns Yes, the web UI code is a mess right now; Inbucket started as a https://revel.github.io/ app, but I ended up ripping it out and rolling my own. I didn't bother refactoring it for 2.0 because I knew I would be rebuilding the UI from scratch soon. I've actually started on the front end code (https://github.com/jhillyerd/inbucket-elm), but have not yet touched the server side code.

If you really want to try implementing this, it would need to be a middleware that wraps each handler func in https://github.com/jhillyerd/inbucket/blob/master/pkg/webui/routes.go

Edit: Meant to say if you need password protection immediately, I would look into proxying HTTP requests through nginx or Apache HTTPD. This would also allow you to add SSL via letsencrypt or similar. Whatever proxy you use needs to support WebSockets if you want to use the monitor.

[jhillyerd]

See also http://www.gorillatoolkit.org/pkg/mux on how to wrap the entire router in a middleware:

r := mux.NewRouter()
r.HandleFunc("/", handler)
r.Use(simpleMw)

[evilmrburns]

And thanks again for the response. Incredibly helpful. I'm not looking to password protect an individual box, I was more looking to just put the monitor for everything behind a little wall. The individual handler for /monitor could do it I would imagine.

I did find the mux stuff, saw it referenced and looked into. I did see the middleware example on their page, but again, what you have implemented, I couldn't for the life of me figure out where to try and copy and pasta it in sorry.

Environmental variable for the hashed password is good though, I'm thinking more what I know with the .htaccess file or a database back end, but since everything else is stored there already, makes good sense.

I am really sorry I can't be of more help, however, I am using this really just for personal use. But have a test bed in ubuntu 16.04 and centos 7.4 if you want me to run releases and help in anyway there.

[evilmrburns]

I don't know where to put this and I don't see private messaging, so @jhillyerd I saw on your developer wishlist, a logo. I can make a vector logo, but could use ideas. I mocked up a bucket with a letter in it, with IN on it. Colors are just for contrast, please don't tell me you dig neon blue and red haha.

If there is some way to message that I don't know about, please let me know. If you'd like me to mock a few things up, just let me know your ideas and color preferences.

[jhillyerd]

I don't think github has private messaging, but if you were to place an @ between my first and last name, and add .com to the end, you would be in possession of my email address.

The ideas I had were similar, a slightly tapered metal bucket with either a bunch letters poking out the top, or perhaps a US style mailbox on a wooden post extending out of the bucket.

[evilmrburns]

I'll shoot you an email, but I don't mind posting here, or opening a separate issue. Just seeing if I can help. If I'm more bothersome than helpful tell me to buzz off lol.

[kingforaday]

@evilmrburns Based on jhillyerd's comments about limitations of per mailbox password protection, in my opinion, you should offload this functionality to something like nginx, which would be perfect to deal with this case for you. For example, consider the following nginx config I mocked up for you:

server {
    listen              80;
    server_name
        yoursite.tld www.yoursite.tld;

    location / {
        return 301      https://$host$request_uri;
    }

}

server {
    listen              443 ssl;
    ssl_certificate         /etc/letsencrypt/live/yoursite.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yoursite.tld/privkey.pem;
    server_name         _;

    location / {
        auth_basic      "for evilmrburns only";
        auth_basic_user_file    /etc/nginx/.htpasswd;
        proxy_set_header    Upgrade          $http_upgrade;
        proxy_set_header    Connection       "upgrade";
        proxy_http_version  1.1;
        proxy_pass      http://127.0.0.1:9000;
    }

}

Then generate the .htpasswd file using the following:

sudo htpasswd /etc/nginx/.htpasswd <username>
# NOTE: You might need apt install -y apache2-utils

For the SSL certificates, Let'sEncrypt is a wonderful way to go and their awesome work has might management dead simple using 'certbot'. I won't go into instructions for certbot because their tool includes the information perfectly as you configure it for use.

I hope this is helpful.