New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option for Web Login rather than popup #330

Closed
edru opened this Issue Jan 20, 2017 · 27 comments

Comments

Projects
None yet
7 participants
@edru

edru commented Jan 20, 2017

Applications/plug-ins like lastpass are unable to populate the popup request for username and password. An in-page login would allow this.

@ciehanski

This comment has been minimized.

Show comment
Hide comment
@ciehanski

ciehanski Jan 20, 2017

I was actually just about to submit a feature request for this. A login page similar to Sonarr or PlexPy would be fantastic.

ciehanski commented Jan 20, 2017

I was actually just about to submit a feature request for this. A login page similar to Sonarr or PlexPy would be fantastic.

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Jan 20, 2017

Member

NZBGet uses HTTP authentication which is a part of HTTP standard. Every modern browser can save and fill in the username and password.

Web-sites have publicly accesssible login pages because they need to advertise they sevices for new users and because they need to provide a password reset feature. None of these is applicable to NZBGet.

I don't see reasons to change current authentication mechanism.

Member

hugbug commented Jan 20, 2017

NZBGet uses HTTP authentication which is a part of HTTP standard. Every modern browser can save and fill in the username and password.

Web-sites have publicly accesssible login pages because they need to advertise they sevices for new users and because they need to provide a password reset feature. None of these is applicable to NZBGet.

I don't see reasons to change current authentication mechanism.

@hugbug hugbug changed the title from Option for Web Login rather than popup (feature request) to Option for Web Login rather than popup Jan 20, 2017

@ciehanski

This comment has been minimized.

Show comment
Hide comment
@ciehanski

ciehanski Jan 20, 2017

@hugbug we're not asking to change the whole authentication system, rather have a login screen prompted through HTML/PHP instead of a popup. All other media services(Sonarr, PlexPy, SABnzb) include this kind of feature and are not applicable to what you stated above...

ciehanski commented Jan 20, 2017

@hugbug we're not asking to change the whole authentication system, rather have a login screen prompted through HTML/PHP instead of a popup. All other media services(Sonarr, PlexPy, SABnzb) include this kind of feature and are not applicable to what you stated above...

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Jan 20, 2017

Member

we're not asking to change the whole authentication system

That's indeed the consequence. A great amount of work is needed for this. And the output in my opinion is so small that it is hardly worth it (all browsers already can save login data). I would rather work on more useful things.

We can keep this issue open to collect opinions. If many users need this I'll give it higher priority.

Member

hugbug commented Jan 20, 2017

we're not asking to change the whole authentication system

That's indeed the consequence. A great amount of work is needed for this. And the output in my opinion is so small that it is hardly worth it (all browsers already can save login data). I would rather work on more useful things.

We can keep this issue open to collect opinions. If many users need this I'll give it higher priority.

@ciehanski

This comment has been minimized.

Show comment
Hide comment
@ciehanski

ciehanski Jan 20, 2017

@hugbug ahhhh I see. Sounds good, thanks for explaining it and being open.

ciehanski commented Jan 20, 2017

@hugbug ahhhh I see. Sounds good, thanks for explaining it and being open.

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Jan 20, 2017

Member

I also would like to know what problem should the web login page solve?

I understand there is an issue with LastPass. Isn't letting the browser to save the login data a solution?

It's also possible to put username and password directly into URL which can be a solution for mobile phones since they are usually generally protected with passwords already and putting password into url isn't a big security risk.

Member

hugbug commented Jan 20, 2017

I also would like to know what problem should the web login page solve?

I understand there is an issue with LastPass. Isn't letting the browser to save the login data a solution?

It's also possible to put username and password directly into URL which can be a solution for mobile phones since they are usually generally protected with passwords already and putting password into url isn't a big security risk.

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Jan 20, 2017

The problem presented on my end is that I dont auto save my passwords within the browser as an overall security practice. I use lastpass with very long randomly generated passwords. The plugins for lastpass on both Chrome for Windows and Android cannot populate the fields in the popup window. There is no option at all in windows, and in android it doesnt detect it as a field that would need to be populate by them. In all of the apps, like Sonarr/CP, they are, or offer, a log-in via the webpage itself, which LastPass can populate. Otherwise you have to open the app/vault copy the password, then flip back and paste it.

Im not sure if this is strictly limited lastpass, or all password safes. If it is strictly a lastpass problem I can address the situation with them instead, but the issue has crossed operating systems (Windows/Android). I dont use any other password safes, so maybe someone using a different web-based one can test?

edru commented Jan 20, 2017

The problem presented on my end is that I dont auto save my passwords within the browser as an overall security practice. I use lastpass with very long randomly generated passwords. The plugins for lastpass on both Chrome for Windows and Android cannot populate the fields in the popup window. There is no option at all in windows, and in android it doesnt detect it as a field that would need to be populate by them. In all of the apps, like Sonarr/CP, they are, or offer, a log-in via the webpage itself, which LastPass can populate. Otherwise you have to open the app/vault copy the password, then flip back and paste it.

Im not sure if this is strictly limited lastpass, or all password safes. If it is strictly a lastpass problem I can address the situation with them instead, but the issue has crossed operating systems (Windows/Android). I dont use any other password safes, so maybe someone using a different web-based one can test?

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Jan 20, 2017

Member

That suppprt page suggests a workaround: use LastPass with Firefox to save the password. After that the auto filling of password should work in Chrome too. I guess this does not apply to Android but may work on Windows at least.

Member

hugbug commented Jan 20, 2017

That suppprt page suggests a workaround: use LastPass with Firefox to save the password. After that the auto filling of password should work in Chrome too. I guess this does not apply to Android but may work on Windows at least.

@bennettp123

This comment has been minimized.

Show comment
Hide comment
@bennettp123

bennettp123 Jan 24, 2017

+1

I'd also appreciate authentication via web form instead of HTTP authentication. I have the same use case: I want unique complex passwords, and I want to avoid manually typing and/or copy+paste password, but my password manager doesn't play nice with HTTP auth.

As a workaround, I've been appending the username and password to the URL, which I've added to my browser bookmarks.

e.g. https://<server>:<port>/<username>:<password>/API doco, but it also works for the web frontend.

bennettp123 commented Jan 24, 2017

+1

I'd also appreciate authentication via web form instead of HTTP authentication. I have the same use case: I want unique complex passwords, and I want to avoid manually typing and/or copy+paste password, but my password manager doesn't play nice with HTTP auth.

As a workaround, I've been appending the username and password to the URL, which I've added to my browser bookmarks.

e.g. https://<server>:<port>/<username>:<password>/API doco, but it also works for the web frontend.

@m1lkman

This comment has been minimized.

Show comment
Hide comment
@m1lkman

m1lkman commented Jan 24, 2017

+1

@ciehanski

This comment has been minimized.

Show comment
Hide comment
@ciehanski

ciehanski Jan 24, 2017

Just tested with 1Password and I have the same problem as well that @edru mentioned.

ciehanski commented Jan 24, 2017

Just tested with 1Password and I have the same problem as well that @edru mentioned.

@anoma

This comment has been minimized.

Show comment
Hide comment
@anoma

anoma Jan 24, 2017

Is there any reason other than "some 3rd party password tools dont support HTTP standards". If not then surely this is a bug report for those tools and not nzbget.

For what it is worth changing away from HTTP auth would break my setup.

anoma commented Jan 24, 2017

Is there any reason other than "some 3rd party password tools dont support HTTP standards". If not then surely this is a bug report for those tools and not nzbget.

For what it is worth changing away from HTTP auth would break my setup.

@bennettp123

This comment has been minimized.

Show comment
Hide comment
@bennettp123

bennettp123 Jan 24, 2017

Is there any reason other than "some 3rd party password tools dont support HTTP standards".

Pretty much lol

More accurately, "some 3rd party web browsers don't expose an interface for plugins to autofill HTTP auth, which makes it inconvenient to use some 3rd party password tools with nzbget."

But I can see what you're getting at. It's definitely not a bug in nzbget... perhaps this thread should be labelled as a feature request instead of an issue. 😉

For what it is worth changing away from HTTP auth would break my setup.

Not necessarily. You can already bypass HTTP auth by appending the username and password to the request URI — see my post above.

Or make it a config option — eg nzbdrone/Sonarr lets you choose between several auth methods (basic/forms/none).

bennettp123 commented Jan 24, 2017

Is there any reason other than "some 3rd party password tools dont support HTTP standards".

Pretty much lol

More accurately, "some 3rd party web browsers don't expose an interface for plugins to autofill HTTP auth, which makes it inconvenient to use some 3rd party password tools with nzbget."

But I can see what you're getting at. It's definitely not a bug in nzbget... perhaps this thread should be labelled as a feature request instead of an issue. 😉

For what it is worth changing away from HTTP auth would break my setup.

Not necessarily. You can already bypass HTTP auth by appending the username and password to the request URI — see my post above.

Or make it a config option — eg nzbdrone/Sonarr lets you choose between several auth methods (basic/forms/none).

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Jan 24, 2017

Member

This is already labeled as "Feature", not as "Bug".

If implemented there will be an option to choose between HTTP-Auth and Form-Auth. Backward compatibility is a high priority.

Generally Form-Auth is less secure because the built-in web-server must serve files required for web-form to non-(yet)-authorized users, which means unrestricted access to webui-folder.

I recognize there is an issue with certain browsers and tools. Users having issues with HTTP-Auth please comment in this topic or use reactions ("+1"-smilies) on the first post.

Member

hugbug commented Jan 24, 2017

This is already labeled as "Feature", not as "Bug".

If implemented there will be an option to choose between HTTP-Auth and Form-Auth. Backward compatibility is a high priority.

Generally Form-Auth is less secure because the built-in web-server must serve files required for web-form to non-(yet)-authorized users, which means unrestricted access to webui-folder.

I recognize there is an issue with certain browsers and tools. Users having issues with HTTP-Auth please comment in this topic or use reactions ("+1"-smilies) on the first post.

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Jan 24, 2017

@MoonJazz thanks for testing a different password manager

@hugbug yes this is requested as an option add-on, not a replacement. I believe either Sonarr or CouchPotato gives you the option to choose in the GUI if that helps formulate at all (if accepted).

edru commented Jan 24, 2017

@MoonJazz thanks for testing a different password manager

@hugbug yes this is requested as an option add-on, not a replacement. I believe either Sonarr or CouchPotato gives you the option to choose in the GUI if that helps formulate at all (if accepted).

@PeterDTown

This comment has been minimized.

Show comment
Hide comment
@PeterDTown

PeterDTown Feb 7, 2017

+1 please add this feature.

I've seen you give this same response dating back several years, and it seems like there are many people who would like the option to sign in via web form. I understand it may not be the way you prefer to login, but if this many people want the option is it not worthwhile implementing?

PeterDTown commented Feb 7, 2017

+1 please add this feature.

I've seen you give this same response dating back several years, and it seems like there are many people who would like the option to sign in via web form. I understand it may not be the way you prefer to login, but if this many people want the option is it not worthwhile implementing?

@hugbug hugbug modified the milestone: v19 Feb 13, 2017

hugbug added a commit that referenced this issue Feb 22, 2017

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Feb 22, 2017

Member

Implemented the feature but it may not work as you expect.

Who wants to test? Please send me a message to nzbget@gmail.com with the info which OS you run nzbget on.

If you can compile on your own use branch 330-form-auth.

Member

hugbug commented Feb 22, 2017

Implemented the feature but it may not work as you expect.

Who wants to test? Please send me a message to nzbget@gmail.com with the info which OS you run nzbget on.

If you can compile on your own use branch 330-form-auth.

@PeterDTown

This comment has been minimized.

Show comment
Hide comment
@PeterDTown

PeterDTown Feb 24, 2017

Did you find a tester? I'm running this on my Synology DSM v.6

PeterDTown commented Feb 24, 2017

Did you find a tester? I'm running this on my Synology DSM v.6

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Feb 24, 2017

Member

@PeterDTown: can you install nzbget from universal linux installer (like the one provided on nzbget download page)? I would send you the package from current develop branch. What CPU has your NAS? Send me a message to nzbget@gmail.com as I need your email address.

Member

hugbug commented Feb 24, 2017

@PeterDTown: can you install nzbget from universal linux installer (like the one provided on nzbget download page)? I would send you the package from current develop branch. What CPU has your NAS? Send me a message to nzbget@gmail.com as I need your email address.

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Feb 27, 2017

Has this been tested? I have my Ubuntu installation up and running that i could copy over. I was busy all last week and out of town this past weekend, but could help this week.

Thanks for taking the time to add this feature. It is much appreciated!

edru commented Feb 27, 2017

Has this been tested? I have my Ubuntu installation up and running that i could copy over. I was busy all last week and out of town this past weekend, but could help this week.

Thanks for taking the time to add this feature. It is much appreciated!

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Feb 27, 2017

Member

@edru: v19.0-testing is out. Please test and write back.

Member

hugbug commented Feb 27, 2017

@edru: v19.0-testing is out. Please test and write back.

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Feb 27, 2017

@hugbug by chance is there a git command I could issue to pull that specific build? Or is that part of the pushes that will auto update?

edru commented Feb 27, 2017

@hugbug by chance is there a git command I could issue to pull that specific build? Or is that part of the pushes that will auto update?

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Feb 27, 2017

Member

Just go to download page and take it from there or update from nzbget web-interface if you use official nzbget package.

Member

hugbug commented Feb 27, 2017

Just go to download page and take it from there or update from nzbget web-interface if you use official nzbget package.

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Feb 27, 2017

@hugbug tried to do it remotely from my phone, but something must have gone wrong as nothing on my machine will load anymore. Ill be home in roughly 4 hours and update you then unless something else pops up in between then.

edru commented Feb 27, 2017

@hugbug tried to do it remotely from my phone, but something must have gone wrong as nothing on my machine will load anymore. Ill be home in roughly 4 hours and update you then unless something else pops up in between then.

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Feb 28, 2017

@hugbug - tested, working, LastPass will see and populate. Thanks SO much!

edru commented Feb 28, 2017

@hugbug - tested, working, LastPass will see and populate. Thanks SO much!

@edru

This comment has been minimized.

Show comment
Hide comment
@edru

edru Mar 2, 2017

Just a followup as I only tested windows - this also works correctly in Android too.

edru commented Mar 2, 2017

Just a followup as I only tested windows - this also works correctly in Android too.

@hugbug

This comment has been minimized.

Show comment
Hide comment
@hugbug

hugbug Mar 3, 2017

Member

Thanks for testing.

Member

hugbug commented Mar 3, 2017

Thanks for testing.

hugbug added a commit that referenced this issue Oct 9, 2017

hugbug added a commit that referenced this issue Oct 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment