❌ Deprication of built-in auth #1469
Lissy93
announced in
Announcements
Replies: 2 comments 1 reply
-
how about supporting and or implementing Ad/Ldap and or SSO like oauth or OIDC? it will prompt users to have a seprate user system but it would be worthwhile in the long run |
Beta Was this translation helpful? Give feedback.
1 reply
-
I think this is a really positive change for the project. I'm sure it's hard to cut a feature you've spent so much time on, but I really do think that the current system gives users a false sense of security. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello everyone 👋
An update regarding Dashy's built-in authentication option. Due to the issues outlined below, I'm going to be dropping official support for it. Of course, you can still continue using it on your locally running instances, but you should be aware of it's flaws before doing so.
Why is this happening?
I am concerned that officially supporting it may lead some users into a false sense of security.
What's wrong with the built-in auth?
Dashy's built-in auth was intended to provide a simple login page, without requiring you to need to spin up any other services. It was never meant to be a primary line of defense in a publicly hosted instance.
The built-in auth has a several security issues, which make it inappropriate for securing a public instance:
What does this mean for you?
You can still use the built-in auth if you wish, but I highly recommend that you only do so on a locally self-hosted instance, which is not publicly accessible.
The most secure way to protect Dashy (and any other self-hosted services you're running) is either:
And of course, if you're instance is hosted publicly, ensure you're
conf.yml
is specified with the readonly (:ro
) flag.I'm sorry if this is an inconvenience to anyone, I did spend a fair bit of time looking into alternative methods to re-implement authentication without needing to deprecate it. But I felt like this is the best way forward from a security perspective. Let me know below if you have a any comments, questions, etc
💙
Beta Was this translation helpful? Give feedback.
All reactions