lokenx / plexrequests-meteor

Meteor version of the original Plex Requests
http://plexrequests.8bits.ca
Other
526 stars 136 forks source link

Allow disabling authentication entirely #520

Open pkoenig10 opened 6 years ago

pkoenig10 commented 6 years ago

This would be useful for servers that use SSO or some other authentication layer before requests reach PlexRequests. Forcing users to sign in twice is cumbersome in these setups.

See https://github.com/tidusjar/Ombi/issues/454 for related issue.

AngryNoodlez commented 6 years ago

Hi pkoenig10,

SSO is easy to implement with PlexRequests-Meteor as standard authentication just stores two values in localStorage.

I use PlexAuth and have PlexRequests-Meteor sign in automatically with a bit of JavaScript. Disabling authentication entirely would mean you wouldn’t get the benefit of seeing who’s requested items, and being able to apply restrictions to different users.

I’ve seen you’ve posted the same question on Ombi. With Ombi v3 it is also possible to implement SSO, though slightly more involved.

pkoenig10 commented 6 years ago

Right, by disabling any form of sign-in I'm implicitly saying I don't care who requests an item.

Is this JavaScript an automated task you've setup in your own browser? I was looking for a solution that worked for all users.

AngryNoodlez commented 6 years ago

It’s not a client side modification no, the jacascript is sent from the server and runs in the client browser, so works for all users.

Do you have discord?

pkoenig10 commented 6 years ago

I do not.

Can you just give a quick explanation of what you did? Does PlexAuth or PlexRequests allow you to send arbitrary JavaScript? Or did you just make direct modifications to the source code?

AngryNoodlez commented 6 years ago

If you use PlexAuth you can initiate JavaScript in multiple ways. If you use the muximux module and iFrame the Plexrequests content you can apply the JavaScript on PlexAuth, otherwise you can modify the code directly in Plexrequests.

From what I can see you have two ways of doing it;

1) If you don’t care about who requests things, you can sign all users in as one person. As far as I know this can be any username, it doesn’t need to be on your friends list. To do this, add the following script to your “client\templates\home\home.html” file. (Using Anonymous as an example)

<script>
localStorage.setItem("__amplify__auth","{\"data\":\"true\",\"expires\":null}");
localStorage.setItem("__amplify__user","{\"data\":\"Anonymous\",\"expires\":null}");
location.reload();
</script>

2) If you are bothered about the user who requests things, you can apply the same substituting the username, i.e Anonymous- with a variable containing their username. I use PlexAuth and store their username in a javascript variable, then set localStorage as below;

<script>
localStorage.setItem("__amplify__auth","{\"data\":\"true\",\"expires\":null}");
localStorage.setItem("__amplify__user","{\"data\":\"" + username + "\",\"expires\":null}");
</script>
pkoenig10 commented 6 years ago

I'm just using nginx with oauth2_proxy.

I think built-in support for unauthenticated requests is a pretty common and reasonable use case. You shouldn't have to modify source code or deploy a wrapping service just to get this behavior. Especially when the default configuration doesn't really authentication anything (it just asks for a way to identify a user).

AngryNoodlez commented 6 years ago

I agree, though I don’t think turning off authentication is a particularly common use case. Yes, this application doesn’t really have much in terms of security of standard users, (admin auth is different) but other applications such as Ombi do have full authentication.

But I’m by no means a developer, and to be honest I’d rather not have Ombi or Plexrequests-Meteor exposed directly so implementing an SSO solution which facilitated allowing me to identify each user is much more suitable. Building in support for SSO I guess would differ depending on the way it’s used, but that’s why Ombi v3 now has an API you can use to avoid modifying source code. You can use sub_filter in nginx to make this work - However, I’m not a big fan of Ombi so I’m more than happy to add a couple of lines of code to make seamless SSO work with my solution.

pkoenig10 commented 6 years ago

To be clear, I'm not asking for PlexRequests to integrate with SSO solutions to identify users; I agree that is outside the scope of this project. I don't really care to know who makes an individual requests. If they have access to the request page, I have already decided they are an authenticated user.

Many other services (including Sonarr, Radarr, and PlexPy) support disabling authentication entirely for this type of setup. I'm happy to make the PR. Just wanted to create the issue so it would be tracked.

AngryNoodlez commented 6 years ago

Thinking about it, you can use nginx sub_filter to add those values to local storage without modifying code, as it would just inject it in the session.

Though I can’t see any harm in it allowing for authentication to be disabled.