Only require RPC password when actually viewing RPC routes

janoside / btc-rpc-explorer

Database-free, self-hosted Bitcoin explorer, via RPC to Bitcoin Core.

https://bitcoinexplorer.org

MIT License

1.52k stars 1.13k forks source link

Only require RPC password when actually viewing RPC routes #210

Open adamgall opened 4 years ago

adamgall commented 4 years ago

Currently, when the app is configured with BTCEXP_BASIC_AUTH_PASSWORD, the Basic Auth popup is displayed as soon as the site loads.

In my opinion, the Basic Auth popup should only be displayed when the user attempts to GET/POST /rpc-terminal and/or GET /rpc-browser.

With the new behavior, then the explorer could remain public for general use, but require a password only when a user attempts to use the RPC functionality.

Kixunil commented 4 years ago

It'd be even better to support both as a DoS protection.

adamgall commented 4 years ago

Not a bad idea. I'll try to rebase the PR (to fix conflicts), and keep the original functionality. Might need to think about the design a little bit.

@Kixunil as a user of btc-rpc-explorer, how would you want to configure it to switch between those two auth modes?

Kixunil commented 4 years ago

Hmm, maybe BTCEXP_BASIC_AUTH_VIEW_PASSWORD and BTCEXP_BASIC_AUTH_MANAGE_PASSWORD?

Eventually, I'd love to see support for some kind of SSO though.