search

yllibed / Zigbee2MqttAssistant

GUI for Zigbee2Mqtt running in docker and HASS.IO
450 stars 42 forks source link

Authentication #154

Open Edzilla2000 opened 4 years ago

Edzilla2000 commented 4 years ago

Hello, Would it be possible to implement some kind of authentication? Right now anyone having access to this webapp can do anything with my zigbee network. I'm mitigating the issue by only bringing it up when I need it but I would love to see some kind of user/password on it.

carldebilly commented 4 years ago

To be honest the tool has been developed to be a HASS.IO ingress add-in first, so the authentication is managed by HASS when used that way. But I agree it's a security issue when used as a stand-alone container (or when you activate the port-mapping feature to access it directly without the ingress mode).

Does having a hard-coded username + password, defined in the configuration, would be enough for you?

carldebilly commented 4 years ago

@all-contributors please add Edzilla2000 to ideas

allcontributors[bot] commented 4 years ago

@carldebilly

I've put up a pull request to add @Edzilla2000! :tada:

kennymc-c commented 4 years ago

I would also appreciate some authentication method in the stand-alone version. Username + password in the configuration would be ok, but only with https/ssl encryption. Of course it would be better to save the login data in an encrypted file. In this file you can also store e.g. the MQTT Broker login data securely.

Paddy0174 commented 4 years ago

To be honest the tool has been developed to be a HASS.IO ingress add-in first, so the authentication is managed by HASS when used that way. But I agree it's a security issue when used as a stand-alone container (or when you activate the port-mapping feature to access it directly without the ingress mode). [...]

Sorry for asking, but does this include the use of !secret in the configuration? Because in my case it is not working, so I'd like to add a feature request, a bug report or an apology for misconfiguring the addon. 😄

EDIT: Nevermind, I found #33

kennymc-c commented 4 years ago

Any updates on this? The mentioned solution using hard-coded login credentials would be better than nothing as it is currently the case in the stand-alone version.

Edzilla2000 commented 4 years ago

For my part I've added basic auth in my traefik config for this service, but something better integrated would be great!

dawidkrawczak commented 3 years ago

As I also use Zigbee2MqttAssistant as standalone in the form of a docker container, I am interested in even the basic form of authorization. Is there a chance for such a feature? Alternatively, I am asking for tips on how to do this?

Edzilla2000 commented 3 years ago

@DavePol21 personnaly I do it like this in Traefik 2:

deploy:
  labels:
    - "traefik.enable=true"
    - "traefik.docker.network=webgateway"
    - "traefik.http.routers.zigbee.rule=Host(`zigbee.domain.tld`)"
    - "traefik.http.services.zigbee.loadbalancer.server.port=8080"
    - "traefik.http.routers.zigbee.entrypoints=websecure"
    - "traefik.http.routers.zigbee.tls.certresolver=mydnschallenge"
    - "traefik.http.middlewares.zigbee-auth.basicauth.users=user:hash"
    - "traefik.http.routers.zigbee.middlewares=zigbee-auth@docker"
dawidkrawczak commented 3 years ago

Thank you. I wouldn't like to put up an additional container with Traefik. Is it possible to edit the page files / webserver configuration files directly in the Z2MA container?