Add server-side password protection for the web interface #197
Conversation
|
Added |
|
Thanks for this @DL6ER , I think before we accept, we're going to need to make some changes to how At the moment, if a user was to choose to re-install (i.e Obviously, there shouldn't really be any reason for the user to have to run that, but it's a possibility, and would end with them having to re-add the password field, (and temperature flag). Question more related to this PR (I haven't fully gone through the code yet, or tested it...) will the password stored in |
|
Just tried it out, and in answer to my question, yes.. the password is stored in plain text... not really too happy with that! Could you also hide these buttons when the user is not logged in?
|
|
I think it makes sense to hide the whole navigation bar if the user is not logged in. Concerning password and hashing: I think it is not wise to save a hashed password using PHP. Instead, the password should be stored as a hash in the setupVars.conf file from the beginning, i.e. the pihole command should do this. I didn't do this here intentionally, so testing would be easier. Should I open a PR to integrate the password setting feature into the pihole command? I'd obviously save only the hash there. Concerning the possible wipe out of the password and temperature flag: Well, both of these settings are not critical by any mean, so if they get wiped out, then we'll just fall back to the defaults (no password + Celcius). |
|
This is how it looks on mobile devices, not unpleasant surprises here. |
Yes please! If you can, try and make it so that it's a seperate script that is called by
Agreed. |
|
I opened the PR there. Also, I changed the behavior of the script such that the saved password has to be the corresponding hash. |
|
Oh, minor niggle, can you CAPSLOCK the variable names? |
|
@PromoFaux Not sure what you mean. You mean like $pwstring -> $PWSTRING? |
|
in setupVars, and then everywhere they are referenced. See the top 6 as an example :) i.e do |
|
Okay, I got confused, since this is the web interface pull request. Also, in my setupVars.conf everything is in lower case, but might be that this has changed recently: |
|
AH, yes sorry... they're capped in the Changed them as per google style guide |
|
Well, this is a problem, I think. The function used in the web interface to read from the setupVars.conf file is case sensitive! This will fail if the capitalization of the variable names changes. |
|
Have you based off of |
|
Sure. It is now updated, see e.g. here: https://github.com/pi-hole/AdminLTE/blob/devel/data.php#L3 |
|
Yeah, turns out I completely imagined that I'd updated that... Good catch! |
| updateTopClientsChart(); | ||
|
|
||
| updateForwardDestinations(); | ||
|
|
||
| updateTopLists(); |
There was a problem hiding this comment.
updateTopClientsChart() and updateTopLists() are being called even if not authorized, which will cause more strain on the Pi-hole for no gain since those charts are not available when not logged in.
There was a problem hiding this comment.
The API will reject the queries anyway, so there isn't much work to be done here. Anyhow, I'll check if the items exist at all before trying to get the data.
| @@ -255,6 +263,27 @@ | |||
| <i class="fa fa-paypal"></i> <span>Donate</span> | |||
There was a problem hiding this comment.
We can still show the donate button when not logged in.
| else | ||
| document.getElementById("sessiontimercounter").textContent = "-- : --"; | ||
|
|
||
| $('.timer').text(currentTimeString); |
There was a problem hiding this comment.
currentTimeString is not defined
There was a problem hiding this comment.
Okay, that shouldn't be there, actually...
|
Edit: Fixed by clearing browser cache as per @Mcat12's suggestion |
|
I think that is from your browser not updating cached files. |
I think that is not necessary. Most people won't even know that there is some countdown in the background that might log them out at some time. If you like, we could put the timer display at some other (less hidden) place. Then everything should be more or less self-explanatory (they see that the timer is continuously reset on the main page). I see that codacy comolained about valid code since it wants to enforce a certain code style. I'm fine with that and will change the corresponding parts. |
|
So the session is based on time, not on the session? If a user leaves they can still come back within the hour and the session will still be active? |
|
@dschaper The session functionality of PHP has an internal timeout feature, i.e. it will invalidate a valid session on its own after a certain amount of time (defaulting to 24 minutes). Say you visit a site and close your browser completely. If you reopen it within the said 24 minutes, then your session will be refreshed and you have another 24 minutes. If, however, you open up your browser more than 24 minutes later, then you have to login again. If different users log in, each of them will have his own (independent) timeout. |
|
Okay, and then the logout button will immediately invalidate the session... |
|
As for Codacy, we have control of the applied rulesets, so if there are hits being registered that are no applicable, we can just disable those particular checks for these files. |
Conflicts: api.php js/pihole/index.js
|
Currently, the session countdown timer is slightly hidden because I don't know if people would want to see it. Should I put it to some more prominent place clearly visible to the logged in user? |
|
It's fine where it is. |
| && !!document.getElementById("ad-frequency")) | ||
| { | ||
| updateTopClientsChart(); | ||
| } | ||
|
|
||
| updateTopLists(); |
There was a problem hiding this comment.
This one should only be called if authorized.
There was a problem hiding this comment.
Actually, this should be moved to and replace line 155, because that one is called twice when authorized and never when not authorized.
|
Approved, pending merge resolution |
Conflicts: header.php
|
@Mcat12 Conflict resolved. |
|
Approved |
Fixes #128.
Changes proposed in this pull request:
Behavior:
No password is set: No surprises, everything is always shown to everyone.
The user sets a password in
setupVars.conf: Now, the user will be shown a "login" page:Also, clicking on the links "Enable/Disable" doesn't do anything completely locking out any non-authorized user.
Once logged in, the hashed password is always carried around in all links to be sure that we only have to log in once.
The hashing of the password guarantees that the password is never visible in plain-text to someone who might look over your shoulder.
Once we agree on how we like to have it, we should definitely add an (clearly documented) option for the pihole command to make it easy to set the password. We might even ask for it during the installation.
Syntax for
setupVars.conf:webpassword="ABC"@pi-hole/dashboard