Add authentication to configuration page

[sillevl]

As for now, there is no authentication for both the lorank8 configuration page and the cloud9 ide.

Browsing the internet I found out how to add basic http authentication to the cloud9 ide. But is there any way to add basic http or any other form of authentication for the lorank8 configuration page?

Our gateway is connected to a large network and at the moment everybody can access the admin page and alter or delete configurations.

[devlaam]

At the moment we do not have a solution incorporated, but this is certainly something we will look into in the future. Depending on your skills and required level of protection there are a couple of things you can do yourself:

1) Install a firewall (for example https://wiki.debian.org/Uncomplicated%20Firewall%20(ufw)) and allow only for ssh access. Make a bridge via a port forward with something like: ssh -L 8080:localhost:80 root@lorank8 and visit the internal website on the local port 8080. Although this is very secure, it is also very cumbersome, for a quick look on the website requires all these steps.

2) Configuration is not something you change a lot, so it is also possible to modify the file Lorank/lorank8v1/lorankctl and inactivate the instructions that are forbidden (after everything is running well). Inactivation can be reached by simply adding _ before the command. For example change elif [[ $1 == "DoReboot" ]]; then reboot && echo "Rebooting ... "; to elif [[ $1 == "_DoReboot" ]]; then reboot && echo "Rebooting ... "; Reboot will now be disabled from the website. Make sure you change nothing else, or make a copy of the original file. Commands that you typically want to deactivate are: DoShutdown, DoReboot, DoStartConc, DoStopConc, SetConf. The changes are effective immediately, no reboot needed.

[francisdb]

What script Starts the node.js server? Should not be to hard to add basic auth.

[sillevl]

Did some research and found an answer. The configuration page is run by a nodejs express server. It runs as a systemd service.

The server is configured in /usr/local/lib/node_modules/bonescript/server.js. The server runs Express v3.x. In the documentation I found some pointers to add basic http authentication to an Express 3.X app http://expressjs.com/en/3x/api.html#basicAuth. I then added the next line to the server.js file:

app.use(express.basicAuth('username', 'password'));

I inserted this at line 23 just behind the next piece of code:

...
function listen(port, directory) {
    var app = express();
    app.use(express.logger());
    app.use(express.basicAuth('username', 'password'));  // <----- I added this line
...

I then restarted the systemd service with the systemctl restart bonescript.service command.

To add basic http authentication to the cloud9 IDE you can follow this solution from stackoverflow: http://stackoverflow.com/a/29642527/572444

[devlaam]

Nice! Behold the power of open source software, even for commercial products!

[devlaam]

We are thinking about if and how such issues can be addressed in the new versions. However, security is a difficult subject and very easy to screw up. For the moment i hope that the solutions above can help people, but for the moment the advise is: put the Lorank behind a router/firewall or take some protective measure that guarantees that unauthorised access to the subnet the device is present on, is not possible.