feat: rework login authentication and add API token support #3999
Conversation
…o a helper lambda
|
There appears to be a weird bug in current master branch where there is like a ghost session showing in Moonlight. Thought this may have caused it but it does not. |
…thods and properly support regex in scopes
Nevermind, only happens when you add a blank app to Sunshine... still a weird bug though |
Nonary
changed the title
|
Flipping back to draft as I do extensive testing against the login screen and session handling. Right now, the session handling and redirect is a prototype and has not been security reviewed by me yet. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
also improved security of session management by hashing the session token
|
Okay, it should be secure enough now. Next steps is to polish the code and remove any dead code, pointless comments and bugfixes if applicable. |
There was a problem hiding this comment.
I like the idea of adding tests to the web-ui part, but I think that should be done as a separate PR and before this one. It might be better to do after #3855 (or part of) as well.
Also, using common strategies to the following where possible (to ease the maintenance burden).
- https://github.com/LizardByte/shared-web
- https://github.com/LizardByte/gamepad-helper
- https://github.com/LizardByte/contribkit (doesn't actually have tests, but the framework is there)
We'll also need to upload coverage to codecov for the web-ui. We already have upload coverage steps, but we'll need to include the reports from this part. There are examples in all 3 of the above.
Fine with me, it was mostly there to help me confirm everything is working without having me to constantly recompile sunshine and test by hand. It is also kind of hacked in, I had to configure jest instead of using vite testing framework because our Vue setup is kinda chaotic. I am way more experienced in jest so went with that. But probably would focus more on trying to figure out getting the built in testing framework for vite working instead on the separate PR. |
|
I removed the frontend unit tests, did another sweep through in cleanup some dead code and comments. I've run through a lot of manual testing and automated testing, so I believe it is ready. |
|
Description
Adds token-based authentication to Sunshine’s API and admin UI.
Adds token based sessions as an alternative to basic authentication.
Admins can now create, view, and revoke login-free API tokens that grant only the routes they choose.
The existing Basic-Auth flow is untouched, this adds on top of the existing code; therefore there is no breaking changes.
Why this is secure
Benefits
/api/appsGET only), reducing risk, where as using basic auth would give full access to everything in Sunshine.Screenshot
Issues Fixed or Closed
None – this is a new capability.
Type of Change
Checklist