Require authorization for accessing admin functionalities and information on replay interface, allow smooth local access

[machawk1]

Per comments in #212, administrative functionality should not be available to anyone who can access the ipwb replay web interface. @ibnesayeed offered a suggestion of having an /admin/ endpoint. That seems like a big hammer for the likely more conventional use of accessing the local instance.

Figure out a way to check if the client is local to the instance. If so, provide no-auth access. Otherwise, allow authenticated access using an /admin/ endpoint. Also provide additional information (e.g., ipfs version), which might be sensitive (e.g., exposed vulnerability in an old version), within the admin interface.

Said interface can also be added in-place on the main page using an iframe.

Within the admin interface (protected w/ auth by remote, accessible sans auth locally), show:

• [ ] ipfs version
• [ ] ipwb version (already available via an HTTP response header)
• [ ] start/stop ipfs daemon functionality
• [ ] index file(s) locations

[machawk1]

Checking IPWBREPLAY_IP equality with localhost (e.g., 127.0.0.1, localhost, etc) from replay.py seems like a hacky way to determine this condition. Ideally we could tell by the HTTP headers in the request to the replay webUI but as far as I can see, there is no way to detect that using Flask.

Another approach is to send an HTTP request to the URI src of the aforementioned iframe with a secret from the replay (either via JS or a query string parameter) then respond with an appropriate payload relative to whether the string is indicative of the user accessing the replay system locally. This seems excessive.

from flask import request

def runningLocally():
  rootURI = request.url_root
  localURI = ['127.0.0.1', 'localhost'] # Others?
  return rootURI == localURI

[ibnesayeed]

A few points here:

1) I could certainly not recommend an IP-based whitelisting because it is not feasible in situations when process runs in containers or on a remote server, while it also forces very strong restriction of "from where one can access certain features rather than who can access them" 2) We must segregate administrative features from informational stuff, we don't necessarily need separate UI for them, but certain routes should be protected 3) I think "HTTP Basic Authentication" would serve the purpose and implementing that would be very simple in Flask (default credentials could be admin/admin, but modifiable using a CLI argument and an environment variable when the replay server instance is run). This approach would not require a full-blown authentication system with a database, while authenticated session automatically last quite long from the same browser

[ibnesayeed]

• A minimal custom HTTP Basic Auth implementation
• An extension just for HTTP Basic Auth
• A more generic HTTP Auth extension that includes Basic Auth

[machawk1]

A preliminary barebones interface is now available at /admin/ per ef26e2c4807b08b7a9a11de0382f3abc6d220fa1. Functionality from the main page is now to be filled in, styling applied, etc. and then it can be linked from the main replay page and the presence of admin functionality there removed.