Multi-user support #172
Multi-user support #172
Conversation
|
When I change in settings to Multiple Users I get an error: Where should I set up the initial admin user? |
|
Strange, I can't reproduce it... Though I think I saw a similar error and fixed it with the last commit (0f73225), are you using it? Right now for simplicity and compatibility with the current RPC password as pin login option, I made the admin be the username |
|
That might be a problem - I am using cookies in Core, so there is no static username and password in my case. |
|
Maybe if multi user option is selected we could show two more inputs in the settings - admin username and password |
|
Makes sense. I added now in the settings that any user can change its username and password, and noted that for the admin the default is admin for both. |
|
I was able to get to the multi-user when I first switched from None to rpcpassword auth mechanism, and then to multiuser. From None to multiuser still doesn't work. How to reproduce:
|
|
Now works. Just tried registering a new user - works fine! I see that the user has full access to devices that he doesn't own, in particular he can delete the device, keys of the device, or even add new keys to the device of another user. I think we should at least disable the editing capabilities of the devices that the user doesn't own. Maybe we can also separate the list of devices to devices that we own and devices of other users that we have access to. |
|
That’s weird, each users should be able to access only his own devices, that’s how it is for me, so it’s probably a bug, I’ll check why it’s happening. Later I want to add sharing and visibility to devices and wallets, but that’s more complicated. |
|
When I am creating a device I don't see any ownership fields in the device json file, so I am not sure how you determine who owns the device... |
|
I create a separate devices folder for each user. This is why I’m surprised you see one users devices when logged to another. |
src/cryptoadvance/specter/helpers.py
Outdated
| salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii') | ||
| pwdhash = hashlib.pbkdf2_hmac('sha512', password.encode('utf-8'), | ||
| salt, 10000) |
There was a problem hiding this comment.
I suggest making a few changes here:
- store salt and password hash separately to avoid things like
stored_password[64:], so password key would containsaltandpwdhashkeys. - use
pbkdf2_hmac('sha256',...)to make resulting hash x2 shorter, I don't see security benefits of sha512 here. - store bytes not as hex digits but use base64 encoding (
binascii.b2a_base64andbinascii.a2b_base64) - again, shorter.
One note about b2a_base64 function - it adds \n at the end of the string for some reason, but it can be removed using .strip() on it. It doesn't influence the result of a2b_base64 but I am not sure how json will react to \n in the string
| {% if specter.config['auth'] == 'usernamepassword' %} | ||
| Specter Username:<br><input type="text" name="specter_username" type="text" value="{{ current_user.username }}"><br><br> | ||
| Specter Password:<br><input type="password" name="specter_password" type="text" placeholder="Set new password"><br> | ||
| <br><br> |
There was a problem hiding this comment.
Let's add this part dynamically with javascript when the authentication method is changed.
UX will be more intuitive in this case - the user selects usernamepassword setting and can set up admin login and password right away.
When authentication method is changed to rpcpasswordaspin or none - we remove this part of the form.
|
Updated based on both comments :) |
Allow multiple users to use the same Specter server.
For now, each user is separated from the rest.
The original user (the admin) can send registration links with OTP for others to register.
The settings page and configuration was split to admin managed settings like
authand user-specific ones likehwi_bridge_url.