-
-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSO auth support #2040
Add SSO auth support #2040
Conversation
podman requires absolute paths to some docker images on docker hub.
prevent parsing of string values as other types
Thanks for picking this up! I currently don't have time to test this, but afair the reason why the redirect was necessary was due to mealie being a PWA, the browser will not always request the login page from the proxy. Have you tested if having a redirect in the proxy works reliably? |
Good point @tribut, I haven't thought about this edge case. |
"password": "SSO", | ||
# Fill the next two values with something unique and vaguely |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be a security risk? Could you log in through the login form using "SSO" for this user? In that would be the case, maybe a randomly generated password could add some security.
@@ -61,7 +61,8 @@ def get_logged_in_user(self): | |||
@user_router.put("/password") | |||
def update_password(self, password_change: ChangePassword): | |||
"""Resets the User Password""" | |||
if not verify_password(password_change.current_password, self.user.password): | |||
# when logged in via SSO, do not check old password | |||
if self.user.password != "SSO" and not verify_password(password_change.current_password, self.user.password): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could reusing the password field with a specific value be a problem in the future? It is giving the password field two meanings, maybe a boolean value for the user could be a safer option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could reusing the password field with a specific value be a problem in the future? It is giving the password field two meanings, maybe a boolean value for the user could be a safer option.
Passwords are not stored as plaintext. They are always hashed, and only the hash value gets persisted. Currently bcrypt is in use as hashing algorithm, see https://github.com/hay-kot/mealie/blob/39012adcc1b431c59ff9d83f75100971ffa540e0/mealie/core/security/hasher.py#L27
The hash values have a fixed size which is always longer than 3 characters (e.g. "SSO"). So the value "SSO" is an invalid hash value. Hashing always produces valid hash values. So there is no chance of overlapping values.
TL;DR no security problem here
Nice! It would be very nice to have this in Mealie, if you need any kind of help testing or whatever is needed to help you push this forward let me know. |
Implementing 99% of this feature is easy and done by this pull request. But the last 1% are nasty and non trivial. That's why I marked the PR as draft. As I chose Tandoor Recipes instead of Mealie for now, I am currently not pushing this any further. Maybe others can help. |
I see, well, thanks for your work! |
@knrdl can you please list the issues you currently see that aren't handled by PR (that last 1%), so someone else can pick up the work? |
Sure, the PWA/ServiceWorker aspect in conjunction with the Reverse Proxy is not fully handled or tested yet:
These are fewer problems than I thought there remained. If I find the time maybe I will take another look into it. Or I forgot some of the edge cases, who knows :) |
thanks for the rundown! |
This PR adds SSO support. The workflow looks like this:
This PR is mostly based on the work of @tribut in #1622
However there are some notable differences:
Please have look!