Comments (24)
I found this issue on IssueHunt. Can I try to implement this?
from photoprism.
Using a middleware is a good start. We can also chat if you like: @lastzero on Telegram or join #photoprism in the gophers Slack (see Wiki).
from photoprism.
To document what I've just written in the chat:
Not sure if basic auth works because of our API as we are using JS to access it... must be tested. Maybe it's better to work with a token that can be stored in localStorage
. I've implemented something like that already (you can reuse the JS code, backend is written in PHP):
- https://github.com/symlex/symlex/blob/master/frontend/src/common/session.js
- https://github.com/symlex/symlex/blob/master/src/Service/Session.php
You'd have to implement a session endpoint like /api/v1/session
for login and logout in Go that works in a similar way, see https://github.com/photoprism/photoprism/tree/develop/internal/api
Maybe https://github.com/gin-contrib/sessions is helpful for that (never used it before).
Ideally we find a mechanism that also works for other clients like smartphone apps that use our API
in the future. Our Config must be extended with a password field:
- https://github.com/photoprism/photoprism/blob/develop/internal/context/config.go
- https://github.com/photoprism/photoprism/blob/develop/internal/commands/flags.go
- https://github.com/photoprism/photoprism/blob/develop/internal/photoprism/config.go
We should use http-password
(for the flag) / HttpPassword()
(for the function) as we're also running a SQL server that can use a different password (that password would be sql-password
then).
from photoprism.
We'll add a new issue... But need to implement this first.
from photoprism.
wondering if it would be a good idea to use OpenId here, so anyone who is hosting themselves can use their preferred or their existing OpenId Connect Server.
So instead of doing password authentication, may be we should just add support for OpenId Connect Client, and then using configuration, you can set which openId server you will use
from photoprism.
How shall I explain that to Laura? She knows a little bit Open Office, uses Facebook and has a dog.
from photoprism.
Tell her, not to worry much and do the best what she can do. I believe someone from community would create a PR if they would need this feature. Basically I was thinking on the same lines and thought it would be a good idea to share here.
from photoprism.
Ideally I would make it multi-user. In my use-case there are family photos and the family members have their personal photos that are not super secret but just need to be separated from the family photos. So I recommend more brainstorming about auth before even implementing a proof of concept. Any auth is not necessary for an alpha release I think but it needs to be a solid solution whenever it's approaching a beta level.
from photoprism.
When users see a multi-user login, they will think it's super secure. Either a good solution or no solution. In the worst case you run multiple instances and share. You would also need to configure multiple paths etc... every time you import e.g. from a SD card, you need to decide into which collection... makes the whole thing much more complex and complicated.
from photoprism.
I like this idea to authenticate users. Maybe this library will solve the problem: https://github.com/markbates/goth
from photoprism.
@0x46616c6b Already on my list! Nice user image ;)
A gin middleware like https://github.com/pjebs/restgate might be a better option for the use case (didn't look at it in detail yet). I don't really want to sign in with Facebook or Amazon at home, on my private photo collection. But the goth
package is great otherwise.
from photoprism.
@issuehuntfest has funded $20.00 to this issue. See it on IssueHunt
from photoprism.
If we use HTTP basic auth with gin, I think the following code is a good example.
https://github.com/gin-gonic/gin#using-basicauth-middleware
from photoprism.
Thank you for your reply! I'll join the Slack workspace 🆗
from photoprism.
Just came across this project.
I see we're primarily leveraging docker/docker-compose for installation. Therefore may I suggest an alternative of using NGINX auth_request along with another tiny service to do the actual authentication (with whatever web service/services we desire).
For this project it may only exist as documentation / a sample docker-compose.yml
, because the actual authentication service and NGINX configuration would be very loosely coupled to this project.
We do this at work to authenticate against Office365 auth services, the actual docker services themselves are completely unaware of the authentication.
from photoprism.
Many potential users want to run the final software as a single binary without Docker, so we can't just use a proxy. Also some sort of auth is required when we add sharing functionality later.
from photoprism.
Fair point about single binary, but you're already requiring MySQL, so it's not really just a single binary already...
I think you can do basic auth with only NGINX. It's certainly really easy to pass extra headers through to identify users.
Still presuming you still allow disabling auth, anybody can put what I describe in front of photoprism as a way to customize / harden / whatever. They'd just loose the identity for sharing.
from photoprism.
We use TiDB. Pure Go. MySQL ist just for testing. See https://blog.liquidbytes.net/2018/12/personal-photo-management/
from photoprism.
In which case I understand your preference and TiDB looks pretty interesting, even though I'm way more into Docker/Microservices than Go.
from photoprism.
Would be great to have the ability to provide read-only access to photos collection ( with no authentification) and provide the ability to delete\upload data if the user authenticated.
from photoprism.
@alexkutsan We will certainly build something like that, but want to finish albums and settings first.
from photoprism.
@lastzero should it be a separate issue? Or you will implement it in the scope of this one?
from photoprism.
For those that need a simple auth setup. You can put nginx in front of this app and have it do the HTTP Basic Auth check. First create an htpasswd file:
sudo htpasswd -c /path/to/your/users.htpasswd USERNAMEHERE
Then add this to your nginx config (assuming you are serving the docker image on port 2342):
server {
server_name photo.example.com;
...
location / {
auth_basic "Private";
auth_basic_user_file /path/to/your/users.htpasswd;
...
proxy_pass http://localhost:2342;
}
}
from photoprism.
@lastzero has rewarded $16.00 to @graciousgrey. See it on IssueHunt
- 💰 Total deposit: $20.00
- 🎉 Repository reward(10%): $2.00
- 🔧 Service fee(10%): $2.00
from photoprism.
Related Issues (20)
- MariaDB: Problems with invalid Unicode characters on a custom instance running on WSL2 HOT 8
- Videos: Support for HTTP Live Streaming (HLS) with M3U8 HOT 1
- Videos: Support workers (like Peertube runners) for distributed transcoding
- Videos: Upgrade FFmpeg to v7.x for faster transcoding and extended file format support
- Only first "Person in Image" is added to People tab when import photo with exif metadata HOT 1
- Places: Include videos in the map-based place browser (the 'Places' view) HOT 2
- Indexing: (Re)index selected photos/videos HOT 1
- Correct thumbnails, after clicking on them the wrong photo is displayed (for some photos) HOT 2
- Metadata: Don't ignore stop words when generating titles from file names HOT 2
- Photoprism gives space error and refused to start
- PhotoSync App Password HOT 1
- UX: Support timeline feature HOT 2
- Image Import seems to ignore visually similar image with different SHA1sums. HOT 2
- Portainer stack setup does not work if you change PHOTOPRISM_DATABASE_PASSWORD from "insecure" to anything else. HOT 1
- Orientation operation, returned error 500 HOT 4
- Search: Enable Title-Based Sorting HOT 3
- New face can't be named – Entity not found HOT 11
- Sharing: Add names to the secret token of the link HOT 1
- Cannot create apps and services HOT 2
- MariaDB binay logs growing more than 1GB per hour after upgrading to Build 240420-ef5f14bc4 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from photoprism.