-
-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add server-side password protection for the web interface #197
Conversation
Thanks for this @DL6ER , I think before we accept, we're going to need to make some changes to how At the moment, if a user was to choose to re-install (i.e Obviously, there shouldn't really be any reason for the user to have to run that, but it's a possibility, and would end with them having to re-add the password field, (and temperature flag). Question more related to this PR (I haven't fully gone through the code yet, or tested it...) will the password stored in |
Yes please! If you can, try and make it so that it's a seperate script that is called by
Agreed. |
I opened the PR there. Also, I changed the behavior of the script such that the saved password has to be the corresponding hash. |
Oh, minor niggle, can you CAPSLOCK the variable names? |
@PromoFaux Not sure what you mean. You mean like $pwstring -> $PWSTRING? |
in setupVars, and then everywhere they are referenced. See the top 6 as an example :)
i.e do |
Okay, I got confused, since this is the web interface pull request. Also, in my setupVars.conf everything is in lower case, but might be that this has changed recently:
|
AH, yes sorry... they're capped in the Changed them as per google style guide |
Well, this is a problem, I think. The function used in the web interface to read from the setupVars.conf file is case sensitive! This will fail if the capitalization of the variable names changes. |
Have you based off of |
Sure. It is now updated, see e.g. here: https://github.com/pi-hole/AdminLTE/blob/devel/data.php#L3 |
Yeah, turns out I completely imagined that I'd updated that... Good catch! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we possibly show the user on the main screen when logged in that their session won't expire on that screen? Or would that be unnecessary?
updateTopClientsChart(); | ||
|
||
updateForwardDestinations(); | ||
|
||
updateTopLists(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updateTopClientsChart()
and updateTopLists()
are being called even if not authorized, which will cause more strain on the Pi-hole for no gain since those charts are not available when not logged in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The API will reject the queries anyway, so there isn't much work to be done here. Anyhow, I'll check if the items exist at all before trying to get the data.
@@ -255,6 +263,27 @@ | |||
<i class="fa fa-paypal"></i> <span>Donate</span> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can still show the donate button when not logged in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True.
else | ||
document.getElementById("sessiontimercounter").textContent = "-- : --"; | ||
|
||
$('.timer').text(currentTimeString); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currentTimeString
is not defined
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, that shouldn't be there, actually...
Edit: Fixed by clearing browser cache as per @Mcat12's suggestion |
I think that is from your browser not updating cached files. |
I think that is not necessary. Most people won't even know that there is some countdown in the background that might log them out at some time. If you like, we could put the timer display at some other (less hidden) place. Then everything should be more or less self-explanatory (they see that the timer is continuously reset on the main page). I see that codacy comolained about valid code since it wants to enforce a certain code style. I'm fine with that and will change the corresponding parts. |
So the session is based on time, not on the session? If a user leaves they can still come back within the hour and the session will still be active? |
@dschaper The session functionality of PHP has an internal timeout feature, i.e. it will invalidate a valid session on its own after a certain amount of time (defaulting to 24 minutes). Say you visit a site and close your browser completely. If you reopen it within the said 24 minutes, then your session will be refreshed and you have another 24 minutes. If, however, you open up your browser more than 24 minutes later, then you have to login again. If different users log in, each of them will have his own (independent) timeout. |
Okay, and then the logout button will immediately invalidate the session... |
As for Codacy, we have control of the applied rulesets, so if there are hits being registered that are no applicable, we can just disable those particular checks for these files. |
Conflicts: api.php js/pihole/index.js
Currently, the session countdown timer is slightly hidden because I don't know if people would want to see it. Should I put it to some more prominent place clearly visible to the logged in user? |
It's fine where it is. |
&& !!document.getElementById("ad-frequency")) | ||
{ | ||
updateTopClientsChart(); | ||
} | ||
|
||
updateTopLists(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one should only be called if authorized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, this should be moved to and replace line 155, because that one is called twice when authorized and never when not authorized.
Conflicts: header.php
@Mcat12 Conflict resolved. |
Fixes #128.
Changes proposed in this pull request:
Behavior:
No password is set: No surprises, everything is always shown to everyone.
The user sets a password in
setupVars.conf
: Now, the user will be shown a "login" page:Also, clicking on the links "Enable/Disable" doesn't do anything completely locking out any non-authorized user.
Once logged in, the hashed password is always carried around in all links to be sure that we only have to log in once.
The hashing of the password guarantees that the password is never visible in plain-text to someone who might look over your shoulder.
Once we agree on how we like to have it, we should definitely add an (clearly documented) option for the pihole command to make it easy to set the password. We might even ask for it during the installation.
Syntax for
setupVars.conf
:webpassword="ABC"
@pi-hole/dashboard