MyFavMirrors/moonfire-nvr
1
0
Fork 0
mirror of https://github.com/scottlamb/moonfire-nvr.git synced 2025-12-08 00:32:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

preliminary web support for auth (#26)

Browse Source 
Some caveats:

  * it doesn't record the peer IP yet, which makes it harder to verify
    sessions are valid. This is a little annoying to do in hyper now
    (see hyperium/hyper#1410). The direct peer might not be what we want
    right now anyway because there's no TLS support yet (see #27).  In
    the meantime, the sane way to expose Moonfire NVR to the Internet is
    via a proxy server, and recording the proxy's IP is not useful.
    Maybe better to interpret a RFC 7239 Forwarded header (and/or
    the older X-Forwarded-{For,Proto} headers).

  * it doesn't ever use Secure (https-only) cookies, for a similar reason.
    It's not safe to use even with a tls proxy until this is fixed.

  * there's no "moonfire-nvr config" support for inspecting/invalidating
    sessions yet.

  * in debug builds, logging in is crazy slow. See libpasta/libpasta#9.

Some notes:

  * I removed the Javascript "no-use-before-defined" lint, as some of
    the functions form a cycle.

  * Fixed #20 along the way. I needed to add support for properly
    returning non-OK HTTP statuses to signal unauthorized and such.

  * I removed the Access-Control-Allow-Origin header support, which was
    at odds with the "SameSite=lax" in the cookie header. The "yarn
    start" method for running a local proxy server accomplishes the same
    thing as the Access-Control-Allow-Origin support in a more secure
    manner.
This commit is contained in:
Scott Lamb
2018-11-25 21:31:50 -08:00
parent 679370c77a
commit 422cd2a75e
21 changed files with 923 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/cmds/run.rs
View File

@@ -66,9 +66,8 @@ Options:
--http-addr=ADDR Set the bind address for the unencrypted HTTP server.
[default: 0.0.0.0:8080]
--read-only Forces read-only mode / disables recording.
--allow-origin=ORIGIN If present, adds a Access-Control-Allow-Origin:
header to HTTP responses. This may be useful for
Javascript development.
--require-auth=BOOL Requires authentication to access the web interface.
[default: true]
"#;
#[derive(Debug, Deserialize)]
@@ -77,7 +76,7 @@ struct Args {
flag_http_addr: String,
flag_ui_dir: String,
flag_read_only: bool,
flag_allow_origin: Option<String>,
flag_require_auth: bool,
}
fn setup_shutdown() -> impl Future<Item = (), Error = ()> + Send {
@@ -180,7 +179,7 @@ pub fn run() -> Result<(), Error> {
let zone = resolve_zone()?;
info!("Resolved timezone: {}", &zone);
let s = web::Service::new(db.clone(), Some(&args.flag_ui_dir), args.flag_allow_origin, zone)?;
let s = web::Service::new(db.clone(), Some(&args.flag_ui_dir), args.flag_require_auth, zone)?;
// Start a streamer for each stream.
let shutdown_streamers = Arc::new(AtomicBool::new(false));