Added whitelist option

Lenardt Gerhardts · Lenardt Gerhardts · commit 8d18f522b95a · 2025-07-25T14:42:10.000+02:00
diff --git a/configuration.md b/configuration.md
@@ -26,6 +26,7 @@ Here are the available configuration options and their default values:
 | `allow_exec`                                  | false                                                       | Allow usage of the `sqlpage.exec` function. Do this only if all users with write access to sqlpage query files and to the optional `sqlpage_files` table on the database are trusted.                                                                  |
 | `max_uploaded_file_size`                      | 5242880                                                     | Maximum size of forms and uploaded files in bytes. Defaults to 5 MiB.                                                                                                                                                                                            |
 | `oidc_protected_paths`                        | `["/"]`                                                      | A list of URL prefixes that should be protected by OIDC authentication. By default, all paths are protected (`["/"]`). If you want to make some pages public, you can restrict authentication to a sub-path, for instance `["/admin", "/users/settings"]`. |
+| `oidc_public_paths`                           | `[]`                                                        | A list of URL prefixes that should be publicly available. By default, no paths are publicly accessible (`[]`). If you want to make some pages public, you can bypass authentication for a sub-path, for instance `["/public/", "/assets/"]`. Keep in mind that without the closing backslashes, that any directory or file starting with `public` or `assets` will be publicly available. This will also overwrite any protected path restriction. If you have a private path `/private` and you define the public path `/private/public/` everything in `/private/public/` will be publicly accessible, while everything else in private will still need authentication. You will not be able to define a private path inside a public path. |
 | `oidc_issuer_url`                            |                                                           | The base URL of the [OpenID Connect provider](#openid-connect-oidc-authentication). Required for enabling Single Sign-On. |
 | `oidc_client_id`                             | sqlpage                                                   | The ID that identifies your SQLPage application to the OIDC provider. You get this when registering your app with the provider. |
 | `oidc_client_secret`                         |                                                           | The secret key for your SQLPage application. Keep this confidential as it allows your app to authenticate with the OIDC provider. |
diff --git a/src/app_config.rs b/src/app_config.rs
@@ -206,9 +206,21 @@ pub struct AppConfig {
     /// If you specify a list of prefixes, only requests whose path starts with one of the prefixes will require authentication.
     /// For example, if you set this to `["/private"]`, then requests to `/private/some_page.sql` will require authentication,
     /// but requests to `/index.sql` will not.
+    /// NOTE: `OIDC_PUBLIC_PATHS` takes precedence over `OIDC_PROTECTED_PATHS`.
+    /// For example, if you have `["/private"]` on the `protected_paths` like before, but also `["/private/public"]` on the `public_paths`, then `/private` requires authentication, but `/private/public` requires not authentication.
+    /// You cannot make a path inside a public path private again. So expanding the previous example, if you now add `/private/public/private_again`, then this path will still be accessible.
     #[serde(default = "default_oidc_protected_paths")]
     pub oidc_protected_paths: Vec<String>,
 
+    /// Defines a list of path prefixes that should be ignored by OIDC authentication
+    /// By default, now paths will be ignored.
+    /// If you specify a list of prefixes, requests whose path starts with one of the prefixes will be not require authentication.
+    /// For example, if set this to `["/public"]`, then requests to `/public/some_page.sql` will not require authentication,
+    /// but requests to `/index.sql` will.
+    /// If you still want to make `/index.sql` public, but leave the rest of the folder protected, then append `["/index.sql"]`. But keep in mind that if you have a directory that starts with `index.sql` that it will also be public.
+    #[serde(default = "default_oidc_public_paths")]
+    pub oidc_public_paths: Vec<String>,
+
     /// A domain name to use for the HTTPS server. If this is set, the server will perform all the necessary
     /// steps to set up an HTTPS server automatically. All you need to do is point your domain name to the
     /// server's IP address.
@@ -558,6 +570,10 @@ fn default_oidc_protected_paths() -> Vec<String> {
     vec!["/".to_string()]
 }
 
+fn default_oidc_public_paths() -> Vec<String> {
+    vec![]
+}
+
 #[derive(Debug, Deserialize, Serialize, PartialEq, Clone, Copy, Eq, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum DevOrProd {
diff --git a/src/webserver/oidc.rs b/src/webserver/oidc.rs
@@ -49,6 +49,7 @@ pub struct OidcConfig {
     pub client_id: String,
     pub client_secret: String,
     pub protected_paths: Vec<String>,
+    pub public_paths: Vec<String>,
     pub app_host: String,
     pub scopes: Vec<Scope>,
 }
@@ -62,6 +63,7 @@ impl TryFrom<&AppConfig> for OidcConfig {
             "The \"oidc_client_secret\" setting is required to authenticate with the OIDC provider",
         ))?;
         let protected_paths: Vec<String> = config.oidc_protected_paths.clone();
+        let public_paths: Vec<String> = config.oidc_public_paths.clone();
 
         let app_host = get_app_host(config);
 
@@ -70,6 +72,7 @@ impl TryFrom<&AppConfig> for OidcConfig {
             client_id: config.oidc_client_id.clone(),
             client_secret: client_secret.clone(),
             protected_paths,
+            public_paths,
             scopes: config
                 .oidc_scopes
                 .split_whitespace()
@@ -203,6 +206,20 @@ where
             return self.handle_oidc_callback(request);
         }
 
+        if self
+            .oidc_state
+            .config
+            .public_paths
+            .iter()
+            .any(|path| request.path().starts_with(path))
+        {
+            log::debug!(
+                "The request path {} is in a public path, skipping OIDC authentication",
+                request.path()
+            );
+            return Box::pin(self.service.call(request));
+        }
+
         if !self
             .oidc_state
             .config
