Open
Conversation
Contributor
|
I've not looked at the code so take this comment with a pinch of salt.
Messing with the authentication sounds like it has the possibility of
introducing security vulnerabilities. Both at the code level and at the
usage level.
What are your thoughts on mitigating against this?
…On Wed, 19 Mar 2025, 12:27 Johannes L. Hörmann, ***@***.***> wrote:
For local local use, I want to introduce an option to turn on and off
authentication and JWT authorization altogether. For dservercore, I have
already implemented such an option, jic-dtool/dservercore#87
<jic-dtool/dservercore#87>. For the webapp, the
current branch removes authentication altogether. Still need to make it
configurable.
------------------------------
You can view, comment on, or merge this pull request online at:
#33
Commit Summary
- 88d5c7c
<88d5c7c>
ENH: removed authentication
File Changes
(4 files <https://github.com/jic-dtool/dtool-lookup-webapp/pull/33/files>)
- *M* dtool-lookup-webapp/src/App.vue
<https://github.com/jic-dtool/dtool-lookup-webapp/pull/33/files#diff-e079e9ee450f1ac66dfbe71b0f6837e1648341eb4a2a639985865baea3917c93>
(35)
- *D* dtool-lookup-webapp/src/components/SignIn.vue
<https://github.com/jic-dtool/dtool-lookup-webapp/pull/33/files#diff-dc3ae126a3450fc546cac36b46390781789d46033c1aa78a68194214cac4a6cb>
(451)
- *M* dtool-lookup-webapp/src/components/SummaryInfo.vue
<https://github.com/jic-dtool/dtool-lookup-webapp/pull/33/files#diff-4246db9e7cdd19e2ee3c1f82547e371ebb80b94e49dfc3f5781b969b5228417f>
(18)
- *D* dtool-lookup-webapp/src/utils/jwtUtils.js
<https://github.com/jic-dtool/dtool-lookup-webapp/pull/33/files#diff-51aac6c6bd2405a0f801fc508b43de0985530df5b459ac1fffbee66e2f480cb4>
(18)
Patch Links:
- https://github.com/jic-dtool/dtool-lookup-webapp/pull/33.patch
- https://github.com/jic-dtool/dtool-lookup-webapp/pull/33.diff
—
Reply to this email directly, view it on GitHub
<#33>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACR5U3TPZFYMNES6H3H3LXT2VFPDBAVCNFSM6AAAAABZKWFGS2VHI2DSMVQWIX3LMV43ASLTON2WKOZSHEZTCNRRGE2TQNA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Member
Author
|
I don't see danger here as long as it's cleanly implemented, i.e. authentication is always activated per default (both on server and on client side). But it can be disabled when explicitly setting the right configuration option. This always happens at service launch, e.g. via the usual environment variables for configuring Flask app and Vue app, and cannot be modified at runtime. I want to put together a lean container that exposes both dserver and the webapp and quickly builds an index on a local directory when run with a command like In this usecase the authentication is superfluous and hinders smooth and quick access. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For local local use, I want to introduce an option to turn on and off authentication and JWT authorization altogether. For dservercore, I have already implemented such an option, jic-dtool/dservercore#87. For the webapp, the current branch removes authentication altogether. Still need to make it configurable.