Open paulgessinger opened 1 year ago
So as far as I understand it, Authelia uses session cookies to pass through clients to the upstream app, while at the same time providing the app with some trusted identity.
I don't think I'd be able to grab these cookies from an isolated webview at all, and even then I'd have to grab ALL cookies and always send them with all API requests, which I'm not sure is something the app should do.
OTOH, as far as I understand it, excluding /api
from Authelia might be acceptable, other applications seem to have this same issue with Authelia, and I've seen this approach recommended. This could be combined with a "nice" way of grabbing the token through a webview.
Thoughts @hendrik1120, @RefineryX?
Yes, you can't get the authelia cookies. These two issues are acutally not related, I was about to comment about that. @RefineryX you actually need to bypass the api, there is no other way. Since you can authenticate against the api your authelia protection is now limited to vulnerabilities in the paperless login form/site not api endpoint.
My issue is more about the general login into paperless. If they change or add other authentication methods like oidc, the app can't use any of that. I am pretty sure that you can get the django session cookie from paperless, but this needs some work from the maintainers to return it in the request for you. Like nextcloud you could then basically install any auth plugin and all apps would still work. In my case, authelia is basically bypassed but still handles authentication via the back channel.
Ok, understood and agreed.
Indeed there would need to be some way to obtain the token via redirect after a web-based login to paperless. I don't currently have bandwidth to try to add this to paperless myself, but I agree this would be excellent, especially if OIDC gets merged!
Please also consider the cases where people have no password setup
Right now the app requires to put in a valid public API URL, username and password to get an auth token.
If at all possible it would be nicer if the app could simply throw up a browser window with the login URL, the user logs in and the app fetches the token from a redirect.
See