rjuju
commented
2 years ago Hi,
powa-web doesn't have any additional authentication layer on top of postgres authentication: connecting to powa-web means connecting to postgres. So if you can connect to powa-web without providing a password and without storing the credentials in powa-web.conf, it means that the authentication configuration on the target database allows it. It could be due to pg_hba.conf allowing it, maybe for the powa-web host specifically or not, or something else like a .pgpass available for the user running powa-web.
In any case, this is external to powa-web itself.
hrawulwa
Hello, When accessing the Powa Web, it is allowing me to login i) without providing any username and password ii) when providing only username and null password
The only time it is trying to authenticate is when issuing wrong username and it displays Auth failed message. But the first two points, it is serious security issue.
I have a remote setup, and have powa-collector-1.1.1 and powa-web-4.1.1. running on single server. I thought pg_hba.conf file will also be used to authenticate the Web, but does not seem to be.
How do I enforce username and password requirements correctly? Please advise.
[postgres@sl73pgtldbp002 powa-web-4.1.1]$ cat powa-web.conf
servers={ 'main': { 'host': 'localhost', 'port': '5432', 'database': 'powa', 'query': {'client_encoding': 'utf8'} } } cookie_secret="SUPERSECRET_THAT_YOU_SHOULD_CHANGE"
Some extra options you can set
#
port on which the UI should be available.
port=8888
Address on which the UI should be available on
address=0.0.0.0
Forbid UI to connect to databases globally (can be configured per server)
allow_ui_connection=False
Custom URL prefix the UI should be available on
url_prefix="/"
Thanks Hari