Make fava password-protected

[aumayr]

Research/discuss if there is a way to enable some sort of authentication for the fava webserver and if this even makes sense.

As a responsive layout is underway it may be nice to let fava run "public" and access it via the internet (Browser, smartphone, etc.). This needs at least password-protection (or some sort of authentication) and maybe encryption (HTTPS).

Does this make sense?

[aumayr]

And is this even "in scope" for fava?

[adamgibbins]

I don't think it's wise to implement things like this in an application, there's 10s of reverse proxies that have such things built in that are more focused and widely used. You're entering a dangerous domain if you start putting security stuff in your app, that's something that's tied to your leg to maintain and do right forever more - and its incredibly easy to screw up, the results of which are disastrous. Hugely advise you leave this to nginx, apache, etc which have this built in and are well maintained.

Keep the app to the core focus, which is what it does well - presenting beancount data.

[corani]

Simple user authentication can indeed be done easily by a reverse proxy. However, authorization is a different story.

I imagine it would be useful to have at least two different roles: read and read/write. This would require at least some work within fava.

I suspect reverse proxies could forward the role in e.g. a custom header or environment variable (this needs study), but fava would need to consume this and do the appropriate thing.

[xentac]

I've been using fava behind https (through nginx) doing auth through oauth2_proxy. This way I don't have to worry about authentication (apart from being logged into chrome), and I can give anyone access who has a gmail account.

I don't currently have it configured, but you should be able to deny access to the source/submit page based on the email address of the user.

I'm not entirely convinced that running this within beancount is the right thing to do.

[aumayr]

Maybe we can add a sample config file for using nginx or a sample-docker-file (also with the nginx-config) and add some documentation on how to use it? @xentac can you share your config on how to do this via nginx with oauth2?

This would totally fulfill my initial idea, instead of implementing it right into fava (which does sound wrong to me as well).

[aumayr]

@yegle You talked about using fava in a docker image (#230) - can you share your Dockerfile?

[adamgibbins]

@aumayr It's in the Docker Hub AFAIK: https://hub.docker.com/r/yegle/fava/ and thus the Dockerfile is here: https://github.com/yegle/fava-docker

I've been using it a while, its pretty sweet.

[aumayr]

Thanks @adamgibbins for the pointer! This looks very nice!

If we could

1. Combine this with @xentac's oauth-config
2. Document this in the fava Documentation on how to use this
3. Maybe directly integrate it into fava (contrib-folder)

then this would be totally awesome and solve the problem I wanted to address with this issue/discussion in the first place.

[xentac]

I will publish my configs for doing this. I use docker-compose to run three different containers side by side to accomplish it.

[xentac]

https://github.com/xentac/beancount-oauth2

Here is a skeleton config showing what I had to do. It doesn't support the url limiting. To do that, you need to change the nginx config like they say here: https://github.com/bitly/oauth2_proxy/#configuring-for-use-with-the-nginx-auth_request-directive

[aumayr]

I will close this image, as #332 is the successor to this.

[zsxsoft]

Hi everyone
I wrote a simple management panel for this: https://github.com/zsxsoft/fava-management