Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow disabling authentication entirely #520

Open
pkoenig10 opened this issue Jan 14, 2018 · 9 comments
Open

Allow disabling authentication entirely #520

pkoenig10 opened this issue Jan 14, 2018 · 9 comments

Comments

@pkoenig10
Copy link

pkoenig10 commented Jan 14, 2018

This would be useful for servers that use SSO or some other authentication layer before requests reach PlexRequests. Forcing users to sign in twice is cumbersome in these setups.

See Ombi-app/Ombi#454 for related issue.

@AngryNoodlez
Copy link
Contributor

Hi pkoenig10,

SSO is easy to implement with PlexRequests-Meteor as standard authentication just stores two values in localStorage.

I use PlexAuth and have PlexRequests-Meteor sign in automatically with a bit of JavaScript. Disabling authentication entirely would mean you wouldn’t get the benefit of seeing who’s requested items, and being able to apply restrictions to different users.

I’ve seen you’ve posted the same question on Ombi. With Ombi v3 it is also possible to implement SSO, though slightly more involved.

@pkoenig10
Copy link
Author

Right, by disabling any form of sign-in I'm implicitly saying I don't care who requests an item.

Is this JavaScript an automated task you've setup in your own browser? I was looking for a solution that worked for all users.

@AngryNoodlez
Copy link
Contributor

It’s not a client side modification no, the jacascript is sent from the server and runs in the client browser, so works for all users.

Do you have discord?

@pkoenig10
Copy link
Author

I do not.

Can you just give a quick explanation of what you did? Does PlexAuth or PlexRequests allow you to send arbitrary JavaScript? Or did you just make direct modifications to the source code?

@AngryNoodlez
Copy link
Contributor

AngryNoodlez commented Jan 15, 2018

If you use PlexAuth you can initiate JavaScript in multiple ways. If you use the muximux module and iFrame the Plexrequests content you can apply the JavaScript on PlexAuth, otherwise you can modify the code directly in Plexrequests.

From what I can see you have two ways of doing it;

  1. If you don’t care about who requests things, you can sign all users in as one person. As far as I know this can be any username, it doesn’t need to be on your friends list. To do this, add the following script to your “client\templates\home\home.html” file. (Using Anonymous as an example)
<script>
localStorage.setItem("__amplify__auth","{\"data\":\"true\",\"expires\":null}");
localStorage.setItem("__amplify__user","{\"data\":\"Anonymous\",\"expires\":null}");
location.reload();
</script>
  1. If you are bothered about the user who requests things, you can apply the same substituting the username, i.e Anonymous- with a variable containing their username. I use PlexAuth and store their username in a javascript variable, then set localStorage as below;
<script>
localStorage.setItem("__amplify__auth","{\"data\":\"true\",\"expires\":null}");
localStorage.setItem("__amplify__user","{\"data\":\"" + username + "\",\"expires\":null}");
</script>

@pkoenig10
Copy link
Author

pkoenig10 commented Jan 15, 2018

I'm just using nginx with oauth2_proxy.

I think built-in support for unauthenticated requests is a pretty common and reasonable use case. You shouldn't have to modify source code or deploy a wrapping service just to get this behavior. Especially when the default configuration doesn't really authentication anything (it just asks for a way to identify a user).

@AngryNoodlez
Copy link
Contributor

I agree, though I don’t think turning off authentication is a particularly common use case. Yes, this application doesn’t really have much in terms of security of standard users, (admin auth is different) but other applications such as Ombi do have full authentication.

But I’m by no means a developer, and to be honest I’d rather not have Ombi or Plexrequests-Meteor exposed directly so implementing an SSO solution which facilitated allowing me to identify each user is much more suitable. Building in support for SSO I guess would differ depending on the way it’s used, but that’s why Ombi v3 now has an API you can use to avoid modifying source code. You can use sub_filter in nginx to make this work - However, I’m not a big fan of Ombi so I’m more than happy to add a couple of lines of code to make seamless SSO work with my solution.

@pkoenig10
Copy link
Author

To be clear, I'm not asking for PlexRequests to integrate with SSO solutions to identify users; I agree that is outside the scope of this project. I don't really care to know who makes an individual requests. If they have access to the request page, I have already decided they are an authenticated user.

Many other services (including Sonarr, Radarr, and PlexPy) support disabling authentication entirely for this type of setup. I'm happy to make the PR. Just wanted to create the issue so it would be tracked.

@AngryNoodlez
Copy link
Contributor

Thinking about it, you can use nginx sub_filter to add those values to local storage without modifying code, as it would just inject it in the session.

Though I can’t see any harm in it allowing for authentication to be disabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants