-
-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace Basic Authentication with JWT Tokens, Added Login Page #2252
base: master
Are you sure you want to change the base?
Conversation
44fdc58
to
8ba64ff
Compare
Hey, just curious, do we have to replace the basic authentication? I'd rather have it added as an additional authentication method. The goal is to reduce risk, but I don't think its necessary to totally kill off basic auth as its still a secure method, just not really recommended for browser usage due to it exposing password every request. |
Simply to simplify the authentication methods and not supporting both of them. This could be useful in situations where we would like to add different/new types of authentication systems without having to deal with this. btw I'll let @ReenigneArcher and @cgutman decide on that, I don't have a very strong opinion on that |
I agree with Elix. Less code to maintain would be my preference. |
I don't think its a good idea to drop basic authentication as it is a breaking change and it would make it practically impossible to use the webAPI outside of the browser if we implemented it via proper security practices. As for authentication becoming more difficult to maintain, it shouldn't be that way... most auth is added in via decorator or composite patterns to where it just is added on top of something. |
@Nonary are you using the API for anything? I thought you were parsing the logs files for your projects. We did a search on GitHub and didn't really find anyone doing anything with our API. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## nightly #2252 +/- ##
==========================================
- Coverage 6.17% 6.16% -0.02%
==========================================
Files 86 86
Lines 17546 17644 +98
Branches 8190 8263 +73
==========================================
+ Hits 1083 1087 +4
+ Misses 15410 14725 -685
- Partials 1053 1832 +779
Flags with carried forward coverage won't be shown. Click here to find out more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that we are already refactoring stuff here, can we move out all authentication logic/implementation to another file like http_authenticator
or something, and only call it here?
Would also make it easier to unit test, fix, replace or even support multiple auth styles in the future.
Description
This PR replaces the current Login Page (which is based of the Basic Authentication) with a custom Login Page that implements Cookies + JWT to handle the session system.
This allows us to customize the UX of the login page, and it's more compatible with password managers.
The JWT Key is generated on the fly by Sunshine on each boot and is kept in memory, this allows us to not fiddle with revocation lists and storing safely the encryption key. The only side effect is that the credentials will be invalidated on a Sunshine Reboot, but the Web UI is already capable to handle this edge case and show a login modal when the credentials expire without reloading the entiere page.
This breaks the current API Authentication, but nobody uses the Web UI API as far as we know. If so, let us know!
Screenshot
Issues Fixed or Closed
https://ideas.moonlight-stream.org/posts/329/sunshine-use-login-page-rather-than-login-prompt
Type of Change
.github/...
)Checklist
Branch Updates
LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch
must be updated before it can be merged. You must also
Allow edits from maintainers.