search

nanawel / our-shopping-list

OSL is a simple shared list web-application based on Node and VueJS. Typical uses include shopping lists of course, and any other small todo-list that needs to be used collaboratively.
GNU Affero General Public License v3.0
82 stars 8 forks source link

Feature Request: Add user authentication #3

Closed sisimomo closed 1 year ago

sisimomo commented 1 year ago

Hello,

I just came across your project and it is just perfect. I'm looking for a simple and intuitive interface so that any member of my family can add items to the grocery list without difficulty (otherwise they simply won't use it).

I was going to install it on my development server, but noticed that there was no authentication to access the site. Unfortunately for me it is a necessity since I intend to expose the application on the internet. And I don't want anyone (o ther than my family) to be able to see/edit my listings. (And I also don't want to manage VPN connections on all my family member phones)

Ideally, having users with shared and private lists would be ideal. But, a simple authentication to protect the site would be good enough.

If you put that in place, I could confidently use the project for my family needs.

FYI, I have a MagicMirror² at my house and would like to display somes of my lists on it. So I will probably create a module for our shopping list. I took a quick look at the backend code, and all the endpoints I'll need are already available.

What do you think ?

nanawel commented 1 year ago

Hi @sisimomo Thanks for your feedback. I hope this application will help you as much as it helps me on a daily basis.

I fully understand your need for authentication, but unfortunately this is voluntarily out of the scope I intend for this application. It must remain direct, simple, lightweight. And adding users, groups or whatever is clearly already too much.

You can however add an authentication layer on top of the HTTP server if you need it (htpasswd). Or you can simply go with the simplest trick: just leave it open on a secret URL and make sure you only share it with relatives. What do you think? (be careful though: adding authentication would make the provided PWA feature probably a bit more difficult to use from a phone).

I did not know about MagicMirror, seems interesting indeed. I'm sure OSL would have its place there. I'm looking forward to hearing from you about the extension module you plan to add.

ChuckChance commented 1 year ago

For secret URLs, make sure you have robots.txt set to disallow indexing at least one directory level above your install (or else you have the secret URL inside robots.txt file) so at least search engines have no way to show your URL to others (for example like they do, or used to, for all these private webcams that were badly configured)

Edit : this seems to be bad advice (for now) as the app stops working correctly when it's not in the top directory

Hellhound1 commented 1 year ago

Hey, a simple (optional) password page would be great. I appreciate users etc is out of scope and I wouldn't require that either, but a built in password page for those of us who do want to expose it would be great.

Same as OP, I don't want to be managing vpns on families phones to access the site while they're shopping, which is kind of the point of the site!

nanawel commented 1 year ago

As mentioned earlier, you are free to add an htpasswd "authentication" in front of the site if you need it.

You can find more documentation for Nginx here and for Apache here.

While I'm not willing to add this as a built-in feature myself, I would accept to review any PR if you want to submit one.