Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/backend api security and minor fixes #188

Merged
merged 7 commits into from
Nov 1, 2024
Merged

Feat/backend api security and minor fixes #188

merged 7 commits into from
Nov 1, 2024

Conversation

cardosofede
Copy link
Contributor

Is necessary to run the broker via Docker, and this version of the Backend-API via source or docker: hummingbot/backend-api#37

In this PR we should test the following things (is necessary to do a fresh install of the environment):

  1. Auth system: change in CONFIG.py AUTH_SYSTEM_ENABLED to True by default (so you don't need to set up an env variable or set the env variable, as you want) -- > line 20 of the image.
    Test that the login is working well for admin abc that is the default.

  2. Backend API security: as you can see lines 24 and 25 were added to introduce two new env variables. By default, the user and pass are (admin, admin) for Backend API. If you run the Dashboard you should be able to use it without problems. The next thing will be:

  • Changing the config in the backend api and run it again (check the .env file and change the username)
  • Changing the default from admin to something else
    In the last two scenarios, the dashboard should not work.

image

@rapcmia rapcmia requested review from rapcmia and nikspz October 31, 2024 02:37
@rapcmia rapcmia mentioned this pull request Oct 31, 2024
Merged
@rapcmia
Copy link
Contributor

rapcmia commented Oct 31, 2024

PR update:

  • Fresh install dashboard and backend-api on source ✅
  • AUTH_SYSTEM_ENABLED is still set to false by default, change from false to true to test. Auth enabled ✅
  • Login using default credentials ok
  • After login, check bot orchestration page
    image
    image
    • It seems related to issue on set_environment.sh
    • Change to set admin/admin worked ✅
    • if backend_api_username and password does not match to set .env file, user cannot access ✅
  • If auth disabled and backendapi credentials does not match:
    • user can access dashboard without login ✅
    • user can’t access pages that require backendapi ✅

rapcmia
rapcmia previously approved these changes Oct 31, 2024
View reviewed changes
@rapcmia rapcmia dismissed their stale review October 31, 2024 08:04

While closing dashboard, found out the xemm_controller is still accessible even backend-api has unathorized access on most of the controllers

@rapcmia
Copy link
Contributor

rapcmia commented Oct 31, 2024
edited
Loading

Attached recording of XEMM Controller accessible when unauthorized:

Screen.Recording.2024-10-31.at.4.02.22.PM.mov

@nikspz
Copy link
Contributor

nikspz commented Oct 31, 2024
edited
Loading

0c9238a

image
Docker
backend-api-PR37 + dashboard PR188

  1. Cloned PR188 and set AUTH_SYSTEM_ENABLED True
  2. manually built docker image with docker build -t hummingbot/dashboard:development -f Dockerfile .
  3. cloned backend-api-PR37 and manually built docker image with docker build -t hummingbot/backend-api:development -f Dockerfile .
  4. cloned deploy repo and use setup_dev.sh to run dashboard

Actual:
Reviewed not asked for authentication
image
image

@notion-workspace Notion Workspace
Copy link

Feat/backend api security and minor fixes #188

@rapcmia rapcmia merged commit f24c1bf into main Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rapcmia rapcmia rapcmia approved these changes

@nikspz nikspz Awaiting requested review from nikspz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cardosofede @rapcmia @nikspz