No authorization mode about bonsai HOT 5 CLOSED

This feature is finally implemented.

There is a new authorization option: Password Authorization. It's configured by Auth.AllowPasswordAuth option in appsettings.json, which is turned on by default. This allows you to:

• Register the initial admin user without configuring any social network providers
• Create new user accounts with a login and password

A user account is always bound to a specific type of authorization. There is no way to change the authorization type for an existing account.

Password for any account can be reset by the administrator. Administrator can reset their own password as well if they are logged in. However, if there is only one admin account, it's password-based and the password is forgotten - there's no built-in way to restore this password besides raw database manipulation by external tools. I'm considering this functionality for later.

A user account will get locked out if there are 10 consecutive failed password attempts. To unlock the user, their password must be reset.

from bonsai.

• User authorization kinds: remote provider & password (database support)
• Reset password for a user in admin panel
• Authorization form
• Initial registration when no remote providers are configured
• Root admin password reset

from bonsai.

This needs careful consideration.

There were 2 main reasons for choosing Facebook / Google as primary authorization options:

1. All the complexity is delegated to these services: you don't need to configure 2FA, SMTP for sending password reset emails, pay for a SMS gateway integration, etc. There are benefits for everyone: smaller code in Bonsai to maintain, fewer dependencies for admins and a frictionless process for users.
2. Facebook provides name and email, so the user doesn't have to enter them manually during registration. Gender and birthday can also retrieved, but this requires the app to be validated by Facebook (hard and cumbersome), so these were dropped.

So, for "production mode" OAuth providers will stay as the only authorization option. However, it makes sense to add a "no-authorization" mode for people who are just checking Bonsai out and want faster installation. For example, there will be just one account named "Admin", which requires no authorization.

I will look into this, but this is not the top priority at the moment.

from bonsai.

I understand your position, however I'd like to propose another option.

If we consider this application primarily as not-so-big-family service ruled by one person who knows what he's doing I think the easiest way for authorization would be just insert directly into DB (or via admin page) login/passwords for all family members.
Yes, it's manual operation but it's one-time since I assume family isn't a really fast growing thing.

It also could much easier way to give an access to elderly (or not) family members which didn't have Facebook or Google accounts but be able to use written login/password.

from bonsai.

Assigning accounts manually makes sense. Can't give an estimate on when I'll get round to implementing this, though, but a pull request would be very welcome.

from bonsai.