Login with exe
Use exe.dev's authentication system in your applications
You can leverage exe.dev's authentication system to identify users accessing
your services through the [HTTP proxy](./proxy). This lets you build
authorization without managing passwords or e-mails yourself.
The "Login with exe" feature is complementary with [Sharing](./sharing).
If a site is public, all users can access it, and the developer
can implement their own authorization, including bouncing users through
the /\_\_exe.dev/login to require an e-mail address. Private sites always
have the authentication headers, because the site must have been shared
to be accessed.
## Authentication Headers
When a user is authenticated via exe.dev, the following headers are added to
requests coming into your VM:
- `X-ExeDev-UserID`: A stable, unique user identifier
- `X-ExeDev-Email`: The user's email address
These headers are only present when the user is authenticated. If your proxy
is public, unauthenticated requests will not have these headers.
## Special Authentication URLs
The following special URLs are available for authentication flows:
- **Login**: `https://vmname.exe.xyz/__exe.dev/login?redirect={path}`
Redirects the user to log in, then returns them to the specified path.
- **Logout**: POST `https://vmname.exe.xyz/__exe.dev/logout`
Logs the user out, removing the cookie for your domain.
## Development
If you're using an agent to develop on your exe.dev VM itself, your
server might be listening, for example, on http://localhost:8000/, and
nothing is providing these headers. Use an http proxy to add the
headers for testing. For example:
```
mitmdump \
--mode reverse:http://localhost:8000 \
--listen-port 3000 \
--set modify_headers='/~q/X-Exedev-Email/user@example.com' \
--set modify_headers='/~q/X-Exedev-Userid/usr1234'
```
## Example: nginx authorization
The following `nginx` configuration allows only specified email addresses to access a protected location:
```nginx
server {
listen 80;
server_name _;
location / {
# Check if X-ExeDev-Email header matches allowed addresses
set $allowed "false";
if ($http_x_exedev_email = "alice@example.com") {
set $allowed "true";
}
if ($http_x_exedev_email = "bob@example.com") {
set $allowed "true";
}
# Return 403 if not allowed
if ($allowed = "false") {
return 403 "Access denied. Please log in with an authorized account.";
}
# Serve content for authorized users
root /var/www/html;
index index.html;
try_files $uri $uri/ =404;
}
}
```