Possibility to keep random people from changing settings

[maeries]

My flame install is accessible from the internet, so I would like a possibility to prohibit all the random people on the internet from changing my settings. There are three ways I imagine it could be realized:

• setting a password. I.e. you either get asked for a password when you are about to change stuff or you have to go to a different page like flame.domain.tld/admin and put in your password there. That way you could even hide the button in the bottom left corner
• make changing settings only possible when accessing flame over the local network
• make changing settings only possible when an environment variable is set to a certain value

[rgriffogoes]

Some user authorization in the app might be a good idea, but you could also secure the whole application using a reverse proxy - if you don't need really public access to flame

[sharpsounds]

I hadn't considered this issue before now. Previously using Homer which is configured through .yaml without a config page and random people on the internet from changing my settings wasn't an issue so I had no auth set up.

I had the thought to just change my reverse proxy's (pomerium) oauth settings to only require authentication on a config page or something. E.g https://domain.me/settings requires authentication via reverse proxy. Which would kind of work except that the add and edit popovers do not have their own URL.
I suppose you could still do the above with the:

• /settings
• /applications
• /bookmarks

pages but then that would mean that would mean any bookmarks or apps that aren't pinned to the homepage are behind auth as well, and not just the add/edit popovers. Less than ideal but it is better than nothing.

EDIT: Doesn't work. If manually navigate to /settings I get prompted for auth but if I click it on the Flame homepage it goes there without auth.

[pawelmalak]

It will take some time to implement but my idea is as follows:

1. After creating conatiner user can console into it and run script like node createMasterPassword.js which will enable password protection and save it to the database
2. User can then visit flame.domain.tld/auth and login with given password which will return JWT token
3. Things like add/edit buttons or weather settings can be then rendered only if token is present in localStorage and is valid. /settings route will still be available for guests but only Theme tab will be accessible.
4. Token will be valid for let's say 30 days and when it's invalid app will emit notification with error.

[LeonChris88]

I would like to suggest a different approach if possible, adding a label we can add to the docker-compose file.

HIDE-SETTINGS=True/False

[mariushosting]

You can also add two environment variables with username and password. Easy for all people.

[i-iooi-i]

I really need this. I don't want to be modified by others.