preliminary web support for auth (#26)

Some caveats: * it doesn't record the peer IP yet, which makes it harder to verify sessions are valid. This is a little annoying to do in hyper now (see hyperium/hyper#1410). The direct peer might not be what we want right now anyway because there's no TLS support yet (see #27). In the meantime, the sane way to expose Moonfire NVR to the Internet is via a proxy server, and recording the proxy's IP is not useful. Maybe better to interpret a RFC 7239 Forwarded header (and/or the older X-Forwarded-{For,Proto} headers). * it doesn't ever use Secure (https-only) cookies, for a similar reason. It's not safe to use even with a tls proxy until this is fixed. * there's no "moonfire-nvr config" support for inspecting/invalidating sessions yet. * in debug builds, logging in is crazy slow. See libpasta/libpasta#9. Some notes: * I removed the Javascript "no-use-before-defined" lint, as some of the functions form a cycle. * Fixed #20 along the way. I needed to add support for properly returning non-OK HTTP statuses to signal unauthorized and such. * I removed the Access-Control-Allow-Origin header support, which was at odds with the "SameSite=lax" in the cookie header. The "yarn start" method for running a local proxy server accomplishes the same thing as the Access-Control-Allow-Origin support in a more secure manner.
2025-11-25 03:56:18 -05:00 · 2018-11-25 21:31:50 -08:00
parent 679370c77a
commit 422cd2a75e
21 changed files with 923 additions and 212 deletions
--- a/ui-src/assets/index.html
+++ b/ui-src/assets/index.html
@@ -5,6 +5,8 @@
    <title>Moonfire NVR</title>
  </head>
  <body>
+    <div id="session">
+    </div>
    <div id="nav">
      <form action="#">
        <fieldset>
@@ -72,6 +74,27 @@
      </fieldset>
      </form>
    </div>
-  <table id="videos"></table>
-</body>
+    <table id="videos"></table>
+    <div id="login">
+      <form>
+        <fieldset>
+          <table>
+            <tr>
+              <td><label for="login-username">Username:</label></td>
+              <td><input type="text" id="login-username" name="username"></td>
+            </tr>
+            <tr>
+              <td><label for="login-password">Password:</label></td>
+              <td><input type="password" id="login-password" name="password"></td>
+            </tr>
+            <tr>
+              <td></td>
+              <td><input type="submit" tabindex="-1" style="position:absolute; top:-1000px"></td>
+            </tr>
+          </table>
+          <p id="login-error"></p>
+        </fieldset>
+      </form>
+    </div>
+  </body>
 </html>