Authentication

[asciimoo]

Let's discuss what are the requirements and use-cases for authentication.

There is a quick and cheap solution: creating a single "master" password with a command line tool (e.g.: hister set-password) and storing it's hash in the config file/data dir. If the hash exsists, then the web interface shows a password prompt for unauthenticated visitors and unlocks the functionality only after the user provided the right password.

What do you think?

[magikid]

I think that could work.

For my use case, I'm going to try putting it behind an my LB and putting oauth in front of it, specifically with traefik OIDC authentication middleware. I'll see how well that works.

[shaman007]

but that will not work with the browser extention?

[Morethanevil]

Would love to see this feature, so I could use Hister across my browser and OSes. I use Firefox and Brave on Fedora, Android and Windows. I won't expose a hister server without any authentification.

[link2xt]

My usecase for authentication is preventing other software running as separate users from accessing (including modifying) my search history just because they have access to http://127.0.0.1:4433.

A simple solution would be to generate a random token and require that it is included in every URL, e.g. http://127.0.0.1:4433/token-goes-here/...
Accessing http://127.0.0.1:4433/ should not return anything useful and should not allow access to my search history.

Syncthing has a similar problem, it does not require authentication by default and I don't like that it requires the user to set password and username. There is no need for username, and there is no need for the user to invent password manually because user needs to use secure password generator manually then or may set an insecure password: syncthing/syncthing#3357

Jupyter Notebook is using tokens to give you access to the web interface, when it is started it starts the browser with the token in the URL.

[shaman007]

I am looking for a slightly different use case: when I access UI from the private browsing window, it just shows the UI, so anyone can read it. Would it be possible to ask for the token too once and then set it in a cookie? So only those who know the token can read the history.

I.e. now you secured the write access from the extension. But anyone with access to UI can read history and manage rules.

[asciimoo]

@shaman007 the UI asks for the access token if the access token is configured in the server's config file:

[shaman007]

I have it in the server's config file; I am looking for a way to use it from outside the LAN. Now a token secures API requests, but the same person/app can access the UI without it.

I.e. now:

• Server has a secret
• The extension has the same secret and write history with API
• UI has the same capabilities as API but is open with full anonymous access.

[asciimoo]

but the same person/app can access the UI without it.

No, if the access token is added to the config, it should display the UI I've screenshotted until the user enters the valid access token. If you can access the UI after setting the access token it means that there is either a bug or you misconfigured something. According my tests there is no bug. Your config should look like this:

app:
    access_token: you_access_token
[...]

[shaman007]

yes, that's me misconfiguring. thank you @asciimoo !

[link2xt]

What I think I actually want is the UI being packaged into the extension, then there is no need to serve the UI over 127.0.0.1:4433 at all, only the API. API can be authenticated with a token that you need to copy from the config to the extension once, and user does not need to authenticate into the web UI at all if it is part of the extension.

[asciimoo]

Yes token based authentication is an other possible solution, it's similar to having a master password.

[asciimoo]

@link2xt Using only the extensions as a UI has limitations that would reduce the user experience:

• The maxium extension popup size is very limited it would require a lot of scrolling to be able to view results.
• It isn't possible to open the addon popup programatically or with hotkeys.
• Every time you'd like to access Hister from a new computer/browser would require to install the extension and set the token.

[link2xt]

The maxium extension popup size is very limited it would require a lot of scrolling to be able to view results.

When I go to uBlock Origin settings, it opens the whole tab with an URL that starts with moz-extension:// in Firefox. Similarly with BlogCat, it is an extension with RSS reader, when I open RSS reader it is a full tab, not a popup.

[link2xt]

With 0.8 having token authentication is already an improvement. The problems:

1. I had to generate access_token manually and add it to config. Used pwgen for this.
2. I had to enter the token into the search interface and into the extension popup, so twice instead of once.
3. Extension popup did not tell me anything about not being able to connect or asked for token. I was not even sure if it worked or if I pasted the token correctly. Checked by indexing a page and then verifying that it can be found in Hister.

[aslafy-z]

Bundled support for OIDC would be awesome!