[FEATURE] Add basic login to admin panel

[FinecoFinit]

Want to host it, but exposing admin panel to everyone is insecure

[121GWJolt]

Assuming you're hosting it for yourself and friends, you could probably just set it up behind an auth portal hosted on the reverse proxy, like this repo allows, and get really good security without having to host the auth yourself and worry about security. The auth is configured per server entry, so it wouldn't affect the proxy itself.

You'd need something like nginx to do the SSL redirect anyway.

[FinecoFinit]

@121GWJolt game app makes calls on na.wdfp.kakaogames.com, where admin panel hosted, best solution here as I see is to place admin panel on other url path

[121GWJolt]

If something has to be put on another path, I feel like in that case it'd be cleaner to change where wdfp goes, tbh, and put that on a subpath like the rest of the stuff. I haven't read the source entirely, but it at least looks like it wouldn't be the worst thing in the world to accomplish. Would also still be fine behind the reverse proxy since making the subfolder available wouldn't offer a way to access the parent.

Plus, the auth doesn't really need to be in the site itself since the program in its current incarnation doesn't really have any incentive to not be hosted locally for small groups, especially with the DNS server requirement, so at least you wouldn't need to have multiple accounts for people to upload their saves, etc.

How were you going to host it? I guess you're not using a private VPN if you need an auth portal... but then you'd probably still want to secure something about the accounts so that only people who were supposed to use your instance could, right? Like a registration freeze once everyone's made an account?

[FinecoFinit]

look at this mitm-redirect-traffic.py. I already host starpoint, the only thing you have to do is to set my dns server on your phone to access the starpoint

[121GWJolt]

Wait you're using mitmproxy over the Internet? I guess it's not in Wireguard mode, then since you're only talking about changing the DNS?

[FinecoFinit]

I use docker, traefik(reverse proxy) and adguardhome(dns)

[121GWJolt]

Oh okay, yeah I can understand that setup. Then I guess you'd probably want something like this auth module instead.

[FinecoFinit]

@121GWJolt as I said earlier. you can't do that, because game itself needs connection to na.wdfp.kakaogames.com

[121GWJolt]

@FinecoFinit

Okay so actually... Turns out every wdfp route goes through /latest/api/index.php

So you can just do:

Host(`na.wdfp.kakaogames.com`) && PathPrefix(`/latest/api/index.php`)

and then auth starpoint itself on another URL.

At least, according to traefik's docs this should work, anyway. LMK whether it does or doesn't!

[121GWJolt]

For extra security, you can probably also use

&& ClientIP(`192.168.1.0/24`)

on any of these services with respective local IPs to do extra blocking of unauthorized access.

[FinecoFinit]

@121GWJolt

Host(`na.wdfp.kakaogames.com`) && PathPrefix(`/latest/api/index.php`)

Damn, It's working

[121GWJolt]

Alright, glad to know! Hope it keeps your personal instance guarded from outside access!

For future reference, turns out it's also possible to exclude paths and make a wildcard match for "every path but root" using PathRegex, so even if this turns out the domain needs dividing, the rules are flexible enough to manage the paths that way instead.

I suppose this issue is close-able now?

[121GWJolt]

@FinecoFinit ^?