-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Replace Basic Authentication with JWT Tokens, Added Login Page #2995
base: master
Are you sure you want to change the base?
Conversation
newPath = newPath + redirect; | ||
} | ||
} | ||
document.location.href = newPath; |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
user-provided value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This value comes from the backend, usually, but in case someone tried to lure a user, just above it there's some code to cleanup the redirect value before using it.
FYI @ReenigneArcher @TheElixZammuto @cgutman let's continue discussion here. @TheElixZammuto I invited you to my fork, so you can push something yourself if needed. This way we can iterate fast and I can get your amazing work merged. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2995 +/- ##
=========================================
- Coverage 9.57% 9.52% -0.06%
=========================================
Files 73 73
Lines 13616 13703 +87
Branches 6263 6332 +69
=========================================
+ Hits 1304 1305 +1
- Misses 9737 9770 +33
- Partials 2575 2628 +53
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Please correct me if I'm wrong, but won't this require new login prompt each time sunshine settings are "applied"? |
@ns6089 You're completely right, just tested it myself and had to login again. |
This value comes from the backend, but in case someone may try to lure some user somehow, we add a layer of protection
So on the pro side we have better UI and possibly better compatibility with browser password managers. @TheElixZammuto (or anyone who knows), you mentioned "it's more compatible with password managers" in the original PR. Did you run into problems with basic auth in a particular browser? |
18145e7
to
448d83c
Compare
@ns6089 that apply thing can be fixed. What do you mean by more complicated API? JWT Auth is kinda almost the standard nowadays, and we can further provide customization in the future like due date expiring sessions, or maybe allow for custom providers. What will you miss from Basic Auth that is useful to you right now? Basic Auth won't work with autocomplete in many browser's password manager APIs, or works but won't allow third-party password managers to fill in, only the built-in browser one, that many people don't use. It is an annoyance I want to fix too. |
@Hazer I don't personally use web api for anything, just wanted list all possible pros and cons. My only concern that we may be fixing the problem for 1% of users (custom password managers) by introducing a new problem to 99% of users (that recurring login prompt). If it can be fixed, I'm all for it. |
Also a random thought. |
Not personally since I don't use my password manager for Sunshine, but this feature was asked over Discord and GitHub a couple of times |
As for keeping the auth safely, the only way is to store the jwt_key in the state file instead of just in memory, in a default config only admin users should be able to access it. The problem lies in the fact that the we cannot revoke a session when a session gets compromised. Maybe we can add an action to reset the key in the troubleshooting section? |
I would prefer to keep it. Users are already aware of the combo and they are used to that, also we can use the username in the future if we want to add multiple users/multiple access levels |
Can't we just use symmetrical keys so leaking this key doesn't compromise security without knowing client's secret? |
Sorry, assymetrical. |
Quality Gate failedFailed conditions See analysis details on SonarCloud Catch issues before they fail your Quality Gate with our IDE extension SonarLint |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Please move this noise to discord or somewhere else. This space is for code reviews. |
Description
Overtaking of #2252, as I can't force push my rebased changes there.
/
Screenshot
Original at: #2252
TODO
Issues Fixed or Closed
Type of Change
.github/...
)Checklist