Add reverse proxy based authentication #320
Comments
|
Hm, I am not against this in principal, adding this as an additional option is definitely fine by me and a great idea.
I agree, I even think it does not need high security for the most part, there is not really much valuable/dangerous data for bad actors to acquire (if used in a personal scope). That does of course not mean that security is not important and the basics should be implemented well. Providing options for people who want to be as safe as possible (like you suggested) is a great idea, but it is not the focus at the current stage, so I would see this as a low priority topic |
|
We could use OpenID Connect or OAuth2 for this, as most of the external SSO software (such as Keycloak, Authelia, Authentik, Google, etc.) support both of them, and it's safer than proxying a header through Movary and hoping for the best... |
This would mean that Movary would only be accessible from a reverse proxy (so not from http://192.168.2.1, but from https://movary.domain.com) and would read HTTP headers from a reverse proxy like NGINX or Traefik to authenticate a user.
This allows the use of things like Authelia, Keycloak or Authentik, which provide a wayyy better security / authentication flow than Movary does. And I honestly don't think Movary should provide a 100%, foolproof, fort knox-like security, because it would take too much time to do so, and that's probably out of the project's scope. It would be better to leave the really advanced security stuff to applications specifically designed for security stuff, like the projects I mentioned above.
The text was updated successfully, but these errors were encountered: