Simple password authentication about photoprism HOT 24 CLOSED

I found this issue on IssueHunt. Can I try to implement this?

from photoprism.

Using a middleware is a good start. We can also chat if you like: @lastzero on Telegram or join #photoprism in the gophers Slack (see Wiki).

from photoprism.

To document what I've just written in the chat:

Not sure if basic auth works because of our API as we are using JS to access it... must be tested. Maybe it's better to work with a token that can be stored in localStorage. I've implemented something like that already (you can reuse the JS code, backend is written in PHP):

• https://github.com/symlex/symlex/blob/master/frontend/src/common/session.js
• https://github.com/symlex/symlex/blob/master/src/Service/Session.php

You'd have to implement a session endpoint like /api/v1/session for login and logout in Go that works in a similar way, see https://github.com/photoprism/photoprism/tree/develop/internal/api

Maybe https://github.com/gin-contrib/sessions is helpful for that (never used it before).

Ideally we find a mechanism that also works for other clients like smartphone apps that use our API
in the future. Our Config must be extended with a password field:

• https://github.com/photoprism/photoprism/blob/develop/internal/context/config.go
• https://github.com/photoprism/photoprism/blob/develop/internal/commands/flags.go
• https://github.com/photoprism/photoprism/blob/develop/internal/photoprism/config.go

We should use http-password (for the flag) / HttpPassword() (for the function) as we're also running a SQL server that can use a different password (that password would be sql-password then).

from photoprism.

We'll add a new issue... But need to implement this first.

from photoprism.

wondering if it would be a good idea to use OpenId here, so anyone who is hosting themselves can use their preferred or their existing OpenId Connect Server.

So instead of doing password authentication, may be we should just add support for OpenId Connect Client, and then using configuration, you can set which openId server you will use

from photoprism.

How shall I explain that to Laura? She knows a little bit Open Office, uses Facebook and has a dog.

from photoprism.

Tell her, not to worry much and do the best what she can do. I believe someone from community would create a PR if they would need this feature. Basically I was thinking on the same lines and thought it would be a good idea to share here.

from photoprism.

Ideally I would make it multi-user. In my use-case there are family photos and the family members have their personal photos that are not super secret but just need to be separated from the family photos. So I recommend more brainstorming about auth before even implementing a proof of concept. Any auth is not necessary for an alpha release I think but it needs to be a solid solution whenever it's approaching a beta level.

from photoprism.

When users see a multi-user login, they will think it's super secure. Either a good solution or no solution. In the worst case you run multiple instances and share. You would also need to configure multiple paths etc... every time you import e.g. from a SD card, you need to decide into which collection... makes the whole thing much more complex and complicated.

from photoprism.

I like this idea to authenticate users. Maybe this library will solve the problem: https://github.com/markbates/goth

from photoprism.

@0x46616c6b Already on my list! Nice user image ;)

A gin middleware like https://github.com/pjebs/restgate might be a better option for the use case (didn't look at it in detail yet). I don't really want to sign in with Facebook or Amazon at home, on my private photo collection. But the goth package is great otherwise.

from photoprism.

@issuehuntfest has funded $20.00 to this issue. See it on IssueHunt

from photoprism.

If we use HTTP basic auth with gin, I think the following code is a good example.

https://github.com/gin-gonic/gin#using-basicauth-middleware

from photoprism.

Thank you for your reply! I'll join the Slack workspace 🆗

from photoprism.

Just came across this project.

I see we're primarily leveraging docker/docker-compose for installation. Therefore may I suggest an alternative of using NGINX auth_request along with another tiny service to do the actual authentication (with whatever web service/services we desire).

For this project it may only exist as documentation / a sample docker-compose.yml, because the actual authentication service and NGINX configuration would be very loosely coupled to this project.

We do this at work to authenticate against Office365 auth services, the actual docker services themselves are completely unaware of the authentication.

from photoprism.

Many potential users want to run the final software as a single binary without Docker, so we can't just use a proxy. Also some sort of auth is required when we add sharing functionality later.

from photoprism.

Fair point about single binary, but you're already requiring MySQL, so it's not really just a single binary already...

I think you can do basic auth with only NGINX. It's certainly really easy to pass extra headers through to identify users.

Still presuming you still allow disabling auth, anybody can put what I describe in front of photoprism as a way to customize / harden / whatever. They'd just loose the identity for sharing.

from photoprism.

We use TiDB. Pure Go. MySQL ist just for testing. See https://blog.liquidbytes.net/2018/12/personal-photo-management/

from photoprism.

In which case I understand your preference and TiDB looks pretty interesting, even though I'm way more into Docker/Microservices than Go.

from photoprism.

Would be great to have the ability to provide read-only access to photos collection ( with no authentification) and provide the ability to delete\upload data if the user authenticated.

from photoprism.

@alexkutsan We will certainly build something like that, but want to finish albums and settings first.

from photoprism.

@lastzero should it be a separate issue? Or you will implement it in the scope of this one?

from photoprism.

For those that need a simple auth setup. You can put nginx in front of this app and have it do the HTTP Basic Auth check. First create an htpasswd file:

sudo htpasswd -c /path/to/your/users.htpasswd USERNAMEHERE

Then add this to your nginx config (assuming you are serving the docker image on port 2342):

server {
    server_name photo.example.com;
    ...
    location / {
        auth_basic "Private";
        auth_basic_user_file /path/to/your/users.htpasswd;
        ...
        proxy_pass http://localhost:2342;
    }
}

from photoprism.

@lastzero has rewarded $16.00 to @graciousgrey. See it on IssueHunt

• 💰 Total deposit: $20.00
• 🎉 Repository reward(10%): $2.00
• 🔧 Service fee(10%): $2.00

from photoprism.