Feature suggestion: Option to disable web UI password

[ibrahima]

• Which Faktory package and version? Docker, latest version.

It would be nice if there was an option to disable the web UI password altogether. I found that you can configure a separate password for the web UI vs the worker protocol, which is kind of nice, but you can't disable it from this option. In some cases, if you are already securing the web UI via some other mechanism that sits in front of it, having a password on the web UI is a bit redundant and mildly annoying.

https://github.com/contribsys/faktory/blob/b3e739a6c10164b3bdd3bf34dda9405964bd4137/webui/web.go#L205-L210

# example current config
[web]
password = "faktory"

# suggested new config
disable_password = true

(As a side note, it feels like setting a separate web UI password would be a generally better security practice anyway since people might try to save the web UI password in their browser, which increases the potential places where someone could steal the password from.)

Let me know what you think! This is certainly not an urgent or important request, but I thought I would throw the idea out there to get feedback. Coming from Sidekiq, it was a bit surprising to me that Faktory's web UI has a password that happens to be the same as the worker protocol password.

[mperham]

I think the Web UI password is only required in production mode? For local development, you shouldn't need it at all.

[mperham]

And since it's just HTTP Basic Auth, the browser should cache the credentials for future access.

[ibrahima]

I think it's also required in development mode if a password is set but I'm not 100% sure (I definitely have gotten a password prompt in my development environment though I wonder if we set the mode incorrectly or something). But I guess we don't have to set a password in development at all so maybe that would simplify things?

Yeah the browser does cache it but it does seem to expire eventually, at least I seem to need to enter it more often than I would expect. And this might be specific to my setup, but with Firefox and with the 1password extension installed as a password manager, neither the browser nor 1password offers to save it.

Anyway, it's really only a minor inconvenience, but it would be nice if this was optional since people might use other security mechanisms in front of Faktory to secure the admin interface.

[mperham]

Try FAKTORY_SKIP_PASSWORD=true

[ibrahima]

Hmm okay, so that would allow us to disable the password in production, but I'm guessing that that's for both the worker protocol and the web UI right? I was thinking of just disabling it for the web UI but thinking about it further, in our case it may make sense to just use network security rules for the workers and disable the password altogether.

https://github.com/contribsys/faktory/blob/b3e739a6c10164b3bdd3bf34dda9405964bd4137/cli/cli.go#L289-L299

[mperham]

Exactly, the skip option is there so users can opt into disabling faktory's internal security, and imply that they are going to handle auth some other way.