Authentication for RPi-Monitor about rpi-monitor HOT 12 CLOSED

I support/want it.

from rpi-monitor.

Currently there is not server side scripting involved in web interface. It is just javascript. I don't think this is doable just with JavaScript. We may want to use python at least. And it should be lightweight. Since python is built-in package it would be easy.

from rpi-monitor.

I'm using lighttpd server on my Raspberry Pi. Unfortunately, failed to set the RPi-Monitor's protection.

from rpi-monitor.

Currently I haven't exposed that to public network. I just use SSH tunneling to access it.

from rpi-monitor.

The purpose of RPi-Monitor is to... monitor. I did decided to not add any authentication for different reason (security, time...).

But, if somebody want to add such a feature to RPi-Monitor, why not. If the code is well written, will merge such a pull request.
In my opinion, the authentication that could be integrated to RPi-Monitor should not have the aim to be as secure as Fort Knox but should be here to not expose to the public the data managed by RPi-Monitor (which could be private). Remind that RPi-Monitor is not using HTTPS.

This authentication should be optionnal and activable by configuration (to keep the existing behaviour of RPi-Monitor.)

If I had to develop such a feature (you understood that, for the moment, I'll not), I would do like this:

• If a unauthenticated request is coming from a client, the server will send an authentication page.
• When authentication is submited, RPI-Monitor will check the login credential and send a token (randomly generated).
• The client will add this token to every request (token should be stored into LocalStorage in client side).
• If the token is wrong or is missing, user in not authenticated, RPi-Monitor will send the login page.
• The token will be removed from RPi-Monitor memory "n" secondes after last request (n will be configurable).

To implement such a feature, it will be required to update rpimonitord to read the login and password (stored encrypted), generate the token and manage the token validity.
It will be required to modify the javascripts links to add the token value as a parameter the each request.

What is your opinion about the proposed algorithm? Do you have feedback about this algorithm?
Is there a volunteer to develop such a feature?
(If yes, I'll create a branch dedicated to this feature which will be use during the development)

from rpi-monitor.

I'll start developing this feature.

Do you have any suggestion on technologies?

from rpi-monitor.

Nice news :-)
For an easy integration, you should continue to use the technologies I used until now.
Perl for RPi-Monitor. There is a classe Server managing the request from web server. The function do_Get should be updated. The object Configuration is designed to read data from configuration files into hashtable, rpimonitord -s will show how to configuration file are loaded.
A dedicated page should be created in HTML, you will notice that I used bootstrap and jquery.
For the request sent from the client, it could be a little bit more tricky, I'll let you propose some solutions.
If you have question about the design of RPi-Monitor, feel free to ask...

from rpi-monitor.

I did create a branch devel-auth. I'll ask you to use this branch for development. When we will have a working version of this feature, I'll merge it in main branch.
This branch is desgined for development so don't hesitate to do pull requests on it I'll merge them immediatly. I'll also merge my update to let you have an up to date version of code.

from rpi-monitor.

Thank you! I'll start developing.

from rpi-monitor.

How is this one going? Just asking.
If there's auth, one could use stunnel and be happy/secure without having to configure a reverse proxy.
Other programs have login only (like transmission-daemon), and the easy way to secure them is to enable auth and have the daemon listen on localhost only, then stunnel it. and stunnel is really easy to set.

from rpi-monitor.

there will be many scripts or webmin addons available to put authentication on a particular port 8888. Need to search for that

from rpi-monitor.

A solution exists with nginx configuration explained here : http://rpi-experiences.blogspot.fr/2013/05/rpi-monitor-security-and-authentication.html

from rpi-monitor.