matt-oakes / dokku-secure-apps

A plugin for Dokku which secures an individual app with HTTP Basic authentication
MIT License
50 stars 7 forks source link

Make password settable through secure input #12

Open Padrio opened 5 years ago

Padrio commented 5 years ago

As I see, the only way to set the password is by passing it directly through the command line as argument. This is often seen as security flaw, since your password will be written into a Logfile.

You might consider changing this.

Padrio commented 5 years ago

There is also a little bug, or more a cosmetic flaw, which displays every sub-command when displaying the help page:

Usage: dokku [--quiet|--trace|--rm-container|--rm|--force] COMMAND <app> [command-specific-options]

Primary help options, type "dokku COMMAND:help" for more details, or dokku help --all to see all commands.

Commands:

    apps                     Manage Dokku apps
    buildpacks               Manages buildpack settings for an app
    certs                    Manage Dokku apps SSL (TLS) certs
    checks                   Manage zero-downtime settings
    config                   Manages global and app-specific config vars
    docker-options           Pass options to Docker the various stages of an app
    domains                  Manage vhost domains used by the Dokku proxy
    enter                    Connect to a specific app container
    events                   Show the last events (-t follows)
    git                      Manages the git integration for an app
    help                     Print the list of commands
    logs                     Output app logs
    network                  Manages network settings for an app
    nginx                    Interact with Dokku's Nginx proxy
    proxy                    Manage the proxy used by dokku on a per app
    ps                       List processes running in app container(s)
    repo                     Runs commands that interact with the app's repo
    resource                 Manages resource settings for an app
    run                      Run a command in a new container using the current application image
    scheduler-docker-local   Manages the scheduler-docker-local integration for an app
    shell                    Spawn dokku shell
    ssh-keys                 Manage public ssh keys that are allowed to connect to Dokku
    storage                  Mount local volume / directories inside containers
    tags                     List all app image tags
    tar                      Deploy applications via tarball instead of git
    trace                    Enable dokku tracing
    url                      Show the first URL for an application (compatibility)
    urls                     Show all URLs for an application
    version                  Print dokku's version

Community plugin commands:

    letsencrypt                          Plugin for managing letsencrypt app integration
    mariadb                              Plugin for managing MariaDB services
    memcached                            Plugin for managing Memcached services
    mysql                                Plugin for managing MySQL services
    postgres                             Plugin for managing Postgres services
    redirect                             Plugin for managing application redirects
    redis                                Plugin for managing Redis services
    secure:delete <app>                  delete htpasswd file for this app
    secure:disable <app>                 remove security for this app
    secure:enable <app>                  enable security for this app
    secure:list <app>                    list users for this app
    secure:set <app> username password   add user to this app or update their password
    secure:unset <app> username          remove user from this app

As you see, every plugin outputs just the base command and to get a list of available subcommands u usually would either use autocomplete or get the specific help page from the plugin.

matt-oakes commented 5 years ago

Thanks @Padrio. I am not currently using Dokku so won't have time to make any changes to this repo. Let me know if you would be happy to fix this and maybe step in as a maintainer.