[FEATURE_REQUEST] Stay connected (when auth activated), 2FA auth, log file for connection attempt #64
Comments
MilesTEG1
added
the
🦄 Feature Request
|
Salut, Tu verra que la page de login de Dashy n'est pas a l'epreuvre des balles du fait de ca conception et qu'il est recommandé d'utiliser autre chose comme Authelia, ngnix,. .. Translate : You will see that Dashy's login page is not bulletproof due to this design and that it is recommended to use something else like Authelia, ngnix ,. .. |
|
@EVOTk Translate : |
|
Hi @MilesTEG1 - thanks for raising this :)
|
|
Unfortunately your other two requests are outside the scope, so I won't be implementing them at this time. I recommend implement this on your server instead. @EVOTk recommend Authelia, which can be used in conjunction with your reverse proxy (like NGINX, Traefik, etc). It supports 2-Factor authentication, and you can use it globally across your lab, so should be much more convenient. I found this video by Techno Tim very useful for getting started. Just to reiterate, if your dashboard is exposed to the internet and/ or contains any sensitive data, you should not rely on Dashy's login page. It is handled on the client-side, which means it is possible for an attacker to potentially reverse-engineer. It's definitely better than nothing, but is really intended for use within the safe walls of your local network, to restrict access for those who share your server. |
|
Thanks for the answer. I think I let Dashy stay inside my LAN only... not expose to internet with a domaine name. So for now, I'll stick with basic auth :) But, could it be possible to have a connection log (in a .log file accessible with a volume) (failed one, successfull one) to have my fail2ban container working on it ? |
|
I'm not sure about the connection log. The login is very simple, and I don't want to over-complicate things, and risk increasing the attack surface. A connection log would involve writing to a file, and if that's done by an unauthenticated user it could be abused by an attacker. This is because unlike server-side apps, Dashy is mostly a frontend app, and so it's possible to use the browsers dev tools to intercept and modify requests. At the end of the day, I think most users who will want these kind of features will use a different authentication method. Sorry about that. But if you've got it within your LAN, then why don't you restrict which IPs can access Dashy instead? Say only allow access from yourself, do it on your web server, and it will be quite safe. |
|
Hey @MilesTEG1 - Sorry I forgot to update you sooner, but just to let you know that both 2-factor auth and failed attempts logging is now implemented, though integrating with Keycloak. This was merged in #174 so you need to be using V- Keycloak also allows for SSO, plus many more features than I could ever feasibly implement with Dashy's basic auth, and since it's handled server-side it is also more secure too - I think you'll like it! Feel free to reach out if you have any more questions :) |
|
Hello @Lissy93 Thanks for the heads-up :) |
|
It seems a bit too complicated for me... |
|
Ah ok, no worries :) |
|
It's more beacause there is much more to setup yes :) And the fact that it use another service. |
Hello,
I would like to propose some feature request.
When I choose an authentification with auth and a sha256 hash, I get disconnected after a too short delay (somes minutes) : I see that when I refresh the page after some minutes without activity.
So, could you add a checkbox to stay connected ?
Could you add a 2FA authentification ?
Could you add a log file in a mounted folder in order to store any failed authentification attempt with IP, time etc... I want to use fail2ban to ban after some retries...
For now, I can't expose the service with a domain name because of the lack of security...
I hope those would be implemented soon 😃
Thanks for reading and considering those features 😊
The text was updated successfully, but these errors were encountered: