Securing Mattermost via lua-nginx

Dexter Chua, 23 July, 2020
As announced in the previous blog post, the SRCF just launched a new mattermost instance. Mattermost runs on an open-core model, with an open-sourced free tier and paid “enterprise” feature. Being a student-run society, we went with the free tier, officially known as “Team Edition”. The Team Edition lacks some access control features that would be useful for us. After numerous failed attempts to do access control the “right” way, we decided to intercept Mattermost’s API calls at nginx via lua-nginx-module to run our own authentication logic before passing them on to Mattermost. At the end, we get more refined permission controls that we would have had with Enterprise edition.