when logging in: user can see all other users & package indexes

[BenjaminYde]

I am using devpi-lockdown and logging in with user and pass using nginx works successfully.
The problem i have is that when i login, the user can see all other users and package indexes.
Is this normal behaviour?
I want the user only to see their own account with all the package indexes below.
Maybe a quicker feature to implement is to say for what users the web-view can be loaded?
(for example only root can see this)

The users i have:

• root/pypi
• user-a/mono
• user-b/mono

For example when user-a logs in, they can see root/pypi and users-b while they only should be able to see user-a with the index mono.

versions:

devpi-lockdown-2.0.0
devpi-server-6.9.0
devpi-web-4.2.0

my nginx.conf:

# HTTP server redirects all traffic to HTTPS
server {
    listen 80;
    listen [::]:80;

    server_name _;

    # this redirects to the login view when not logged in
    recursive_error_pages on;
    error_page 401 = @error401;
    location @error401 {
        return 302 /+login?goto_url=$request_uri;
    }

    # lock down everything by default
    auth_request /+authcheck;

    # the location to check whether the provided infos authenticate the user
    location = /+authcheck {
        internal;

        proxy_pass_request_body off;

        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-outside-url $scheme://$http_host;  # copy the value from your existing configuration
        proxy_set_header X-Real-IP $remote_addr;  # copy the value from your existing configuration

        proxy_pass http://devpi:3141;
    }

    location / {
        # workaround to pass all requests to / through to the named location below
        error_page 418 = @proxy_to_app;
        return 418;
    }

    location @proxy_to_app {
        proxy_pass http://devpi:3141;
        # the $x_scheme variable is only required if nginx is behind another
        # proxy (often the case in container environments),
        # if your nginx is the only proxy server, the $scheme variable can be
        # used and the map $http_x_forwarded_proto $x_scheme above be removed
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-outside-url $scheme://$http_host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

[fschulze]

The devpi-lockdown package is meant to lockout outsiders. The architecture of devpi-server makes it very hard to do proper user separation, as there are several possible sources of information leakage, like the search in devpi-web. It is possible to add some more restrictions with hooks in a plugin, but I never released that as a package, as it will never meet expectations for everyone and there are too many possible surprises. See devpi/devpi#824 (comment)