search

mongo-express / mongo-express-docker

a dockerized mongo-express for viewing mongoDB in the browser
MIT License
201 stars 93 forks source link

ATTENTION! ME_CONFIG_BASICAUTH_USERNAME_FILE has stopped working on 1.0.2! #117

Closed b83 closed 8 months ago

b83 commented 8 months ago

All of a sudden with the latest version ME_CONFIG_BASICAUTH_USERNAME_FILE and ME_CONFIG_BASICAUTH_PASSWORD_FILE environment variables stopped working, making pages insecure - without the Basic Auth.

Can be reproduced with docker Swarm, or I suppose with a regular Docker environment as well. Falling back to version 1.0.0 returns back the Basic Auth.

...
  mongo-express:
    image: mongo-express
    environment:
      - ME_CONFIG_MONGODB_SERVER=mongodb
      - ME_CONFIG_MONGODB_ENABLE_ADMIN=true
      - ME_CONFIG_MONGODB_ADMINUSERNAME_FILE=/run/secrets/MONGO_INITDB_ROOT_USERNAME
      - ME_CONFIG_MONGODB_ADMINPASSWORD_FILE=/run/secrets/MONGO_INITDB_ROOT_PASSWORD
      - ME_CONFIG_BASICAUTH_USERNAME_FILE=/run/secrets/ME_CONFIG_BASICAUTH_USERNAME
      - ME_CONFIG_BASICAUTH_PASSWORD_FILE=/run/secrets/ME_CONFIG_BASICAUTH_PASSWORD
...
BlackthornYugen commented 8 months ago

Thanks for raising this. It will be fixed asap. As this is likely a configuration bug in the entrypoint there will not be a version bump, anyone using latest or 1.0.2 will get the fix.

BlackthornYugen commented 8 months ago

I have a test setup that demonstrates the issue:

version: '3.8'
secrets:
  MONGO_INITDB_ROOT_USERNAME:
    file: ./secrets/mongo_root_username.txt
  MONGO_INITDB_ROOT_PASSWORD:
    file: ./secrets/mongo_root_password.txt
  ME_CONFIG_BASICAUTH_USERNAME:
    file: ./secrets/mongo_express_username.txt
  ME_CONFIG_BASICAUTH_PASSWORD:
    file: ./secrets/mongo_express_password.txt

services:
    mongo:
        image: mongo:4
        environment:
            MONGO_INITDB_ROOT_USERNAME: ${MONGO_INITDB_ROOT_USERNAME}
            MONGO_INITDB_ROOT_PASSWORD: ${MONGO_INITDB_ROOT_PASSWORD}

    mongoexpress:
        # build: 1.0/20-alpine3.19
        image: mongo-express:1.0.0
        # image: mongo-express:1.0.2
        ports:
            - "8081:8081"
        links:
            - mongo
        environment:
        - ME_CONFIG_MONGODB_SERVER=mongo
        - ME_CONFIG_MONGODB_ENABLE_ADMIN=true
        - ME_CONFIG_MONGODB_ADMINUSERNAME_FILE=/run/secrets/MONGO_INITDB_ROOT_USERNAME
        - ME_CONFIG_MONGODB_ADMINPASSWORD_FILE=/run/secrets/MONGO_INITDB_ROOT_PASSWORD
        - ME_CONFIG_BASICAUTH_USERNAME_FILE=/run/secrets/ME_CONFIG_BASICAUTH_USERNAME
        - ME_CONFIG_BASICAUTH_PASSWORD_FILE=/run/secrets/ME_CONFIG_BASICAUTH_PASSWORD
        secrets:
        - MONGO_INITDB_ROOT_USERNAME
        - MONGO_INITDB_ROOT_PASSWORD
        - ME_CONFIG_BASICAUTH_USERNAME
        - ME_CONFIG_BASICAUTH_PASSWORD
docker-compose down -v
mkdir -vp secrets
for user in express root ; do
  echo "${user}_custom_username" > ./secrets/mongo_${user}_username.txt
  dd if=/dev/random bs=1 count=32 2>/dev/null | base64 > ./secrets/mongo_${user}_password.txt
done
export MONGO_INITDB_ROOT_USERNAME=$(cat ./secrets/mongo_root_username.txt)
export MONGO_INITDB_ROOT_PASSWORD=$(cat ./secrets/mongo_root_password.txt)
docker-compose up -d

When running 1.0.0 the basic auth user/pass work as expected but on 1.0.2 they are ignored and users can connect without any credentials. Hope to have a patch soon.