-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] Add support for password protection #11
Comments
How about JWTs? They could be sent with each request in the JSON object, and it seems to be the easiest way with how the dashboard is set up. |
How is the initial authentication done with this? And how do clients/browsers store and transmit it? Storing it on either local/session storage or a cookie both has security downsides. A common/safe way to transmit them seems to be via Authorization header (or in theory any other custom header), but browser won't do this automatically 🤔. Not sure if something could be done about this via JavaScript? |
My thought is that a dialog will be shown, and the password will be entered and sent to the backend. If the password matches, the backend will then generate a token and send it back. The token will then be used in every websocket request until it expires. I was just going to store it in a variable, though that would require logging in every time the page was loaded. |
And reload... I think to not make it nasty, there needs to be some kind of persistent storage at the client. Here is a good overview of options and their possible downsides: https://stackoverflow.com/a/40376819/16145737
|
Password protection implemented with 6eff076. New config file parameters:
It currently only works on page changes, I'm working on cleaning it up. |
Awesome! So you use JWTs now. Just for clarification: The sha512 is an unsalted hash, hence can be generated via Will do a quick test. |
Yes the hash is unsalted, and the secret is used to generate the token, however the token is stored in localStorage, and lasts for an hour before it expires (do you think it should last longer?). Once that happens, you will have to reenter the password. |
Ah, okay, I didn't see that one. That sounds good! |
Alright, everything should be using the token now. Only thing that I can't get to work is the terminal when you have to login. It won't load unless you reload the page. |
https://github.com/ravenclaw900/DietPi-Dashboard/blob/d3b716c/src/frontend/src/App.svelte#L308 Don't all routes require |
The terminal uses a separate websocket |
I thought that might be the reason as
Ah I see it, and also not relevant for the terminal socket handler. |
Mainly because Xterm uses its own attachment mechanism, which just sends data back and forth, and doesn't JSON encode anything, which is what the main socket is designed for. |
Ah I see. I guess it would be more overhead when using a /ws socket for token validation only and the /ws/term socket for the embedded terminal only, compared to the double validation code? But probably the validation itself can be done in a shared function? |
Good idea, though the |
Shared function added with 6603a7f. |
Since password protection has been implemented, I'm going to close this. |
Since the DietPi-Dashboard allows server administration and currently runs as root user, it makes sense to protect access. It doesn't run on a common port, so behind a NAT usually port forwarding needs to be enabled, but in other cases like a VPS the port might be publicly accessible OOTB and in other cases you may want to access DietPi-Dashboard remotely (while then I would always recommend a VPN).
Concepts:
0600
mode on the config file, I'm actually fine with asha512
hash only. A more complex compromise would besha512
hashed transfer, but salted/encrypted storing in the config file. The client then does the hashing only and the server does the salted hashing/encryption with the key/salt stored as well in the config file to have more more secure there. Again another way would be to send the key/salt hashed to the client to encrypt the password, lol this would be a whole own secure password transfer implementation 😄. Probably better to go with known HTTP authentication...The text was updated successfully, but these errors were encountered: