Closed Samurai336 closed 6 months ago
Continuing the conversation from #209 , have you considered whilelisting IPs? E.g. https://www.purevpn.com/blog/how-to-whitelist-ip-in-nginx/ This would allow only certain machines from accessing your server.
In any case, even if it was possible to add basic auth to requests coming out of Playlet, this can't be added to all kind of requests, as some of them (like loading images) is handled by the OS directly. This might not be possible without a very complicated setup in Playlet.
Whitelisting in my case I don't think work because its residential ips on both end and they are subject to change.
Given an invidious instance is hosted at a home and its domain is updated DDNS system keeping an accurate whitelist gets hard.
The example is if I'm at friends house and want to use my invidious instance on his roku I'd then have to hook him into my VPN or check what his IP is at the time then white list him instead of just adding in a user name and password. The basic auth if technically harder seems to come out as the better user experience.
I haven't dug into roku APIs, their client does not have a way of attaching basic auth headers to any outbound request?
I haven't dug into roku APIs, their client does not have a way of attaching basic auth headers to any outbound request?
Some API calls can have auth headers. But images for example are loaded using Posters in a SceneGraph application, which doesn't have input besides the url of the image. This is similar to how an HTML <img>
tag only takes the link to the image, not headers.
interesting yeah that would take a minute to figure out.
Following up on this - I'm fairly certain there isn't any sensible way to implement this into Playlet. Other mechanisms (like VPNs) need to be used instead if you want to have full privacy of your Invidious instance.
I'd like to be able to give Playlet basic auth credentials in the settings for limiting access to my invidious instance as a way of making it available over the internet but limiting who can see it (ie. bots, indexers, scrapers, DMCA..etc)