search

chiefwigms / picobrew_pico

MIT License
148 stars 63 forks source link

interest check on basic auth for templates routes #359

Open dzsquared opened 1 year ago

dzsquared commented 1 year ago

Due to the way I have my instance deployed, I’d like to protect the web UI routes with basic auth. Is there interest in incorporating an optional admin password for routes that render templates? If so, I can open a draft PR for more discussion based on the early implementation I have.

tmack8001 commented 1 year ago

I'm not against this. Guessing @dzsquared you have this deployed in a publicly accessible way (makes sense to me) cause in that way you then have remote monitoring of your sessions like we had with the traditional mothership service.

If we were to include basic authentication it would be best to make it an opt-in feature. Ideally with a UI to configure and change the Basic Authentication setup which then gets printed into the config.yaml file where all other server settings are persisted.

tmack8001 commented 1 year ago

A draft PR would be a great way forward to have a discussion on the direction and implementation of this. With a publicly accessible server deploy you may also want to limit the machine series APIs to only the machines that are configured / aliased by your server that way there is at least a bit of protection around random data points being created, though I doubt that is really a problem... I haven't seen this personally.

chiefwigms commented 1 year ago

I'm not against this. Guessing @dzsquared you have this deployed in a publicly accessible way (makes sense to me) cause in that way you then have remote monitoring of your sessions like we had with the traditional mothership service.

If we were to include basic authentication it would be best to make it an opt-in feature. Ideally with a UI to configure and change the Basic Authentication setup which then gets printed into the config.yaml file where all other server settings are persisted.

I'm of the opinion to keep it simple - a lot of the "features" seemingly have cluttered the code, but 🤷‍♂️. Like @tmack8001 said, I'd definitely make it opt-in though. Worst case, just make a auth branch and maintain any master updates? There are several users now so if this isn't a wide spread feature I don't want it breaking basic functionality.