[Feature] Custom URL endpoint protection

[tlvu]

Is your feature request related to a problem? Please describe.

We want to restrict a list of custom URL to only a few users. In order for the users to avoid having to have multiple passwords, we want to integrate with Twitcher/Magpie if the feature is possible.

Sample URL https://notos.ouranos.ca/panel_serve/Analogues-Spatiaux-Dashboard. This is behind Nginx, is there an integration of Twticher/Magpie with Nginx?

We could have a lot more URLs.

Describe the solution you'd like

To minimize the effort of this feature, web UI wise, all the configs could be done via configuration files and the UI will only display the status (ie no edit via the web UI, like for Thredds or all the WPS services).

Describe alternatives you've considered

We let Nginx handle the authorization so the user end up having multiple different passwords to remember (JupyterHub password and one password for each dashboard the user wants to access).

Additional context

This is an effort to share dashboards (Jupyter notebooks via Panel serve) to users, without the usual JupyterLab interface with codes so it is more user-friendly to users if they do not need to modify the code and do not need to know how to run the notebook.

This allows for dashboard sharing in a way that is more "general public" a la "portrait climatique" but without being 100% public to protect us from being DOS (Denial Of Service) attacked since all those dashboards are dynamic and not static like "portrait climatique".

FYI @tlogan2000 @huard @aulemahal

[fmigneault]

Magpie does not directly have an integration with Nginx.
If Nginx can perform some kind of pre-request redirect toward the Magpie login endpoint to retrieve its authentication credential, then Magpie/Twitcher could be used.

[tlvu]

Magpie does not directly have an integration with Nginx.

OK no problem. How about using Twitcher as a "front application proxy" as right now with Thredds and all the WPS service, meaning hiding the custom protected URL behind /twitcher/ows/proxy/....? Ex: /twitcher/ows/proxy/panel_serve/Analogues-Spatiaux-Dashboard?

[fmigneault]

The panel_serve would match the name of the service you defined in Magpie.
That service can have different methods of parsing what follows after according to its type.

[tlvu]

The panel_serve would match the name of the service you defined in Magpie. That service can have different methods of parsing what follows after according to its type.

That sounds good.

Do not implement anything for now. We are simply evaluating our options.

Just curious, with the current design, it is simple to add a new service with custom parsing or a refactoring is needed to add this generic feature?

[fmigneault]

Yes. Only need to add the relevant "Service" class derived from ServiceInterface here: https://github.com/Ouranosinc/Magpie/blob/master/magpie/services.py and define its abstract methods for the request parsing method and applicable permissions.