[Feature] Support disabling the built-in authentication

TheSpaghettiDetective / obico-server

Obico is a community-built, open-source smart 3D printing platform used by makers, enthusiasts, and tinkerers around the world.

https://obico.io

GNU Affero General Public License v3.0

1.44k stars 292 forks source link

[Feature] Support disabling the built-in authentication #668

Open com6056 opened 2 years ago

com6056 commented 2 years ago

Is your feature request related to a problem? Please describe. Nope, I just roll my own authentication layer and would love to disable Obico's built-in authentication so I don't have to login twice.

Describe the solution you'd like Being able to disable Obico's built-in authentication.

kennethjiang commented 2 years ago

Do you think you can just implement this in your own fork, since it sounds like this is something very specific to your own setup.

We are using django-allauth and many parts of our backend are tightly coupled with it. If you have a clean way to disable it, you can send a PR and I'll review it.

com6056 commented 2 years ago

This is a pretty common feature asked for in self-hosted projects, even OctoPrint supports this: https://docs.octoprint.org/en/master/features/accesscontrol.html#autologin

I think just being able to do an auto-login like OctoPrint would be enough, no need to completely disable the auth system entirely. Happy to dig into it a bit when I have some free time though!

cp2004 commented 2 years ago

This is a pretty common feature asked for in self-hosted projects, even OctoPrint supports this: https://docs.octoprint.org/en/master/features/accesscontrol.html#autologin

Allowing people to effectively 'disable' authentication is not something we would like to have in OctoPrint, it's just the way that forced login had to be implemented due to too many people not setting up authentication properly and exposing everything to the internet stupidly. It is then very difficult to completely remove these options so 'workarounds' such as autologin with 0.0.0.0/0 exist because people come kicking and screaming on the doorstep insulting every living thing in sight if you upset them.

Better options such as trusting the basic auth headers exist, and mean that it is more difficult for people to just leave the door open to the world. https://docs.octoprint.org/en/master/configuration/config_yaml.html#access-control

kennethjiang commented 2 years ago

Good point about the potential risk of having an option to have auth disabled. It definitely shouldn't be the default. If we still want it, we should probably have a way to warn user: "The auth is disabled on your Obico server! Make sure you have other ways to authenticate the users."

Another thing I want to point out is since basic auth is in the reverse proxy, not in the Obico server itself, anyone who makes it to the local network can have unauthenicated access to the server. I have a feeling this is a timed bomb that will explode sooner or later.