Add auth field to dashboard specification #71
Conversation
|
@jbednar In case you have opinions. Should a (unauthorized) user be able to see their own auth information? Secondly, should a unauthorized user be able to see the specific auth fields that didn't match? |
In most websites it just shows the username, not "User: ", presumably because a user's username is generally very recognizable as their own username, so it's not ambiguous.
Nowadays it seems like the world has decided to reveal as little information as possible, generally not even acknowledging that an unauthorized resource exists. I assume that's to stop leaking information that helps an attacker, but personally I find it maddening for a legitimate user who is blocked for technical reasons, as it makes debugging your setup very difficult. In this case there's clearly some leakage of the title of the dashboard, which one could imagine being sensitive (E.g. "Reasons why we need to put our competitor out of business"). But if we assume a dashboard it meant to be secure mainly inside an organization's firewall, maybe leaking that isn't so important. In any case we should probably not go out of our way to list other data that could help an attacker. |
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Adds an
authkey to the dashboard specification which is checked against theuser_infoprovided by the auth provider configured when launching the server. As an example the GitHub OAuth provider returns theloginof the user that is visiting the dashboard. If we add the following field to the yaml:It will check the current user against all users listed here. For a more generic auth mechanism auth providers such as Okta make it possible to return a list of groups a user belongs to in which case you could list the allowed groups to the
authfield.An unauthorized user will see this:
An authorized user will see: