{"id":13741202,"url":"https://github.com/robcast/iiif-image-auth","last_synced_at":"2025-05-08T21:32:49.791Z","repository":{"id":69907421,"uuid":"196552814","full_name":"robcast/iiif-image-auth","owner":"robcast","description":"Simple IIIF image server with authentication server.","archived":false,"fork":false,"pushed_at":"2019-07-15T15:49:00.000Z","size":49,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-08-04T04:07:35.477Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/robcast.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-07-12T09:42:58.000Z","updated_at":"2023-02-25T17:33:00.000Z","dependencies_parsed_at":"2023-04-21T18:31:05.447Z","dependency_job_id":null,"html_url":"https://github.com/robcast/iiif-image-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robcast%2Fiiif-image-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robcast%2Fiiif-image-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robcast%2Fiiif-image-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robcast%2Fiiif-image-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/robcast","download_url":"https://codeload.github.com/robcast/iiif-image-auth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224774689,"owners_count":17367776,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T04:00:56.719Z","updated_at":"2024-11-15T11:30:59.923Z","avatar_url":"https://github.com/robcast.png","language":"Python","funding_links":[],"categories":["Authentication"],"sub_categories":["Image viewers (Image API only)"],"readme":"# iiif-image-auth\n\nA simple [IIIF-Image API](https://iiif.io/api/image/2.1/) server \nwith [IIIF-Auth API](https://iiif.io/api/auth/1.0/) support.\n\nThis Docker setup provides:\n\n* [digilib](https://github.com/robcast/digilib) image server\n* or [IIPImage](https://github.com/ruven/iipsrv) image server built with \n[OpenJPEG](https://github.com/uclouvain/openjpeg) for JPEG2000 image support\n* [Flask](https://palletsprojects.com/p/flask/) authentication web application using \n[Flask-Admin](https://flask-admin.readthedocs.io/) and \n[Flask-Security](https://pythonhosted.org/Flask-Security/)\n* [Nginx proxy](https://github.com/jwilder/nginx-proxy) connecting the image and the authentication server \n\nImages from the configured image folder (`IMAGE_DIR`) are served at the IIIF Image API endpoint \nhttp://your.server/iiif/images/ and IIIF Presentation API manifests at http://your.server/iiif/manifests/ \n(digilib uses \"!\" as path separator so your directory `mydir/mysubdir` becomes \nhttp://your.server/iiif/manifests/mydir!mysubdir).\n\nThe authentication server user management frontend can be reached at \nhttp://your.server/auth/admin/ (initial user: `AUTH_ADMIN_USERID`, `AUTH_ADMIN_PASSWORD`).\n\nAll images are accessible for all users defined in the authentication server.\nIf you want to extend the application to implement more granular permissions\nlook at `validate()` in [auth/app.py](auth/app.py).\n\n## Requirements\n\nYou need Docker and docker-compose.\n\n## Configuration\n\nCreate a `.env` file by copying the sample file:\n```\ncp .env.template .env\n```\n\nEdit `.env` and put your host name in `VIRTUAL_HOST` and the image\ndirectory on your host in `IMAGE_DIR`.\n\nAdd secrets (random strings) to `AUTH_SECRET_KEY` and `AUTH_PASSWORD_SALT` and user\ncredentials for the initial admin user in `AUTH_ADMIN_USERID` and `AUTH_ADMIN_PASSWORD`.\n\nEnter a database connection in `AUTH_DB_CONNECTION` (e.g. a sqlite file inside the container).\n\nAdd `LETSENCRYPT_EMAIL` for the letsencrypt-proxy-companion.\n\n## Run\n\n```\ndocker-compose up -d\n```\n\nStarts the image and auth server and proxy at port 80 and 443.\n\nThe [letsencrypt-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) \nautomatically downloads letsencrypt SSL certificates.\n\nIf you like to use iipsrv instead of digilib run:\n\n```\ndocker-compose -f docker-compose-iipsrv.yml up -d\n```\nWith iipsrv you need to supply your own manifests in a directory that you set in `MANIFEST_DIR`.\n\n## Implementation details\n\nAuthorization for image (and manifest) requests relies on the Nginx \n[http_auth_request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module configured \nin the files [proxy/vhost.d/default](proxy/vhost.d/default)\nand [proxy/vhost.d/default_location](proxy/vhost.d/default_location).\n\nFor every request by the client to the proxy the proxy makes another request (without body)\nto the `query_auth` endpoint in the auth application and forwards the clients original\nrequest only if the auth application returns a 200 result code.\n\nThe `query_auth` endpoint checks the clients credentials provided either as a session cookie\nof a Flask-Login session or a token in the `Authorization` header.\n\nWhen the client does not provide the necessary credentials the `query_auth` endpoint returns a\n401 error code. In this case the proxy sends a response with a 401 status code to the client \nincluding a preconfigured manifest or image info document as the message body.\nThe document includes ULRs for the *Access Cookie Service* and *Access Token Service* service \nendpoints as required by the [IIIF-Auth specification](https://iiif.io/api/auth/1.0/).\n\nThe *Access Cookie Service* is implemented by the `/iiif-login` endpoint. It is supposed to be\nopened in a separate tab by the IIIF client. It will provide a login form if the user is\nnot already logged in and try to close the window after a successful login. This interaction\nwill set a session cookie for the content domain.\n\nThe *Access Token Service* is implemented by the `/iiif-token` endpoint. It is supposed to \nbe opened in an iframe with a PostMessage handler by the IIIF client. It returns a token\nif the request had a session cookie and an error code otherwise.\n\n## Additional configuration\n\nTo prevent the letsencrypt-proxy-companion from trying to fetch certificates you can disable the service\nby creating a file `docker-compose.override.yml` with the contents:\n\n```\nversion: '3'\n\nservices:\n  certbot:\n    image: tianon/true \n    restart: \"no\"\n```\n\n\n## Acknowledgements\n\nThe Flask auth app heavily borrowed from [sasaporta/flask-security-admin-example](https://github.com/sasaporta/flask-security-admin-example) and the [flask-admin/flask-admin](https://github.com/flask-admin/flask-admin) examples.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobcast%2Fiiif-image-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frobcast%2Fiiif-image-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobcast%2Fiiif-image-auth/lists"}