-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make fava password-protected #314
Comments
And is this even "in scope" for fava? |
I don't think it's wise to implement things like this in an application, there's 10s of reverse proxies that have such things built in that are more focused and widely used. You're entering a dangerous domain if you start putting security stuff in your app, that's something that's tied to your leg to maintain and do right forever more - and its incredibly easy to screw up, the results of which are disastrous. Hugely advise you leave this to nginx, apache, etc which have this built in and are well maintained. Keep the app to the core focus, which is what it does well - presenting beancount data. |
Simple user authentication can indeed be done easily by a reverse proxy. However, authorization is a different story. I imagine it would be useful to have at least two different roles: I suspect reverse proxies could forward the role in e.g. a custom header or environment variable (this needs study), but fava would need to consume this and do the appropriate thing. |
I've been using fava behind https (through nginx) doing auth through oauth2_proxy. This way I don't have to worry about authentication (apart from being logged into chrome), and I can give anyone access who has a gmail account. I don't currently have it configured, but you should be able to deny access to the source/submit page based on the email address of the user. I'm not entirely convinced that running this within beancount is the right thing to do. |
Maybe we can add a sample config file for using This would totally fulfill my initial idea, instead of implementing it right into fava (which does sound wrong to me as well). |
@aumayr It's in the Docker Hub AFAIK: https://hub.docker.com/r/yegle/fava/ and thus the Dockerfile is here: https://github.com/yegle/fava-docker I've been using it a while, its pretty sweet. |
Thanks @adamgibbins for the pointer! This looks very nice! If we could
then this would be totally awesome and solve the problem I wanted to address with this issue/discussion in the first place. |
I will publish my configs for doing this. I use docker-compose to run three different containers side by side to accomplish it. |
https://github.com/xentac/beancount-oauth2 Here is a skeleton config showing what I had to do. It doesn't support the url limiting. To do that, you need to change the nginx config like they say here: https://github.com/bitly/oauth2_proxy/#configuring-for-use-with-the-nginx-auth_request-directive |
I will close this image, as #332 is the successor to this. |
Hi everyone |
Research/discuss if there is a way to enable some sort of authentication for the fava webserver and if this even makes sense.
As a responsive layout is underway it may be nice to let fava run "public" and access it via the internet (Browser, smartphone, etc.). This needs at least password-protection (or some sort of authentication) and maybe encryption (HTTPS).
Does this make sense?
The text was updated successfully, but these errors were encountered: