sstephenson / hector

A private group chat server for people you trust
MIT License
131 stars 15 forks source link

permit no password #40

Open daBrado opened 10 years ago

daBrado commented 10 years ago

I don't know if it fits with the intent of Hector, but I am interested in the ability for people to connect to the IRC server without a password, e.g. when on a firewalled LAN and so perhaps one can assume it is okay for anyone who can even route to the server to also connect to the IRC server.

One way I thought to do this that would be backwards compatible is to just add a public method to Identity adapters called permit_no_password? which returns a boolean, and if the method doesn't exist on the adapter, it is assumed to be false.

You can see an example implementation here:

https://github.com/daBrado/hector/compare/nopasswdopt

I also added it into the YamlIdentityAdapter, so that one could configure that adapter to allow people to connect without a password. In this mode, it has the affect that if a user exists, they must supply a password; if the user does not yet exist, then no password is required.

Let me know if this is of interest, and if so, any changes you'd like to see in the above implementation... also I'd take a crack at adding test coverage.

Thanks.

raws commented 10 years ago

I think allowing anonymous connections is outside the scope of Hector itself, but it should be very easy to implement using a custom identity adapter, like this:

class AnonymousIdentityAdapter
  def authenticate(username, password)
    yield true
  end

  def normalize(username)
    username
  end
end

Configure Hector to use the adapter in init.rb:

Hector::Identity.adapter = AnonymousIdentityAdapter.new

Would that work for your needs?

daBrado commented 10 years ago

I had tried that method before, but the issue for me was that a password was still required for a connection, even though it was ultimately unused for the authentication. Perhaps the most confusing part was that the connection was silently timed out when no password was given. Regardless, I was hoping to not have to supply a password at all (as opposed to requiring one but then throwing it away). Does that make sense?

daBrado commented 10 years ago

I updated my nopasswd branch to show a simpler implementation of what I mean: https://github.com/daBrado/hector/compare/nopasswd This would just do an authentication attempt before getting the password. This implies that an identity adapter that allows nil passwords is equivalent to allowing passwordless connections.

(the previous implementation is now at https://github.com/daBrado/hector/compare/nopasswdopt)

leedo commented 10 years ago

Some time ago I added something similar to hector in a branch. It skipped the requirement for a user and pass if the IP address met certain criteria. May be of some help: https://github.com/leedo/hector/commit/fa5ea73e3927d7b38c7997237609255142860cfb