Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password based authentication #494

Open
powellnorma opened this issue Oct 3, 2024 · 1 comment
Open

Password based authentication #494

powellnorma opened this issue Oct 3, 2024 · 1 comment

Comments

@powellnorma
Copy link

So that not any app (or even extension) can access all of AW's data. Web-UI would also need to authenticate with a password (login could be saved via cookie, though). The Client-Libraries (python + JS) would have to get updated
@powellnorma
Copy link
Author

powellnorma commented Oct 3, 2024
edited
Loading

Perhaps it would be enough, to simply add an HTTP-Header that contains the password for each API request. One optimization would be to hash that password twice - once client-side, once server-side. That way, the plain password is not included in the http headers.

In case the password is wrong, the backend could just return a 403. Additionally, we could add logic such that after e.g. 10 consecutive wrong passwords, for ~10s we always return 429 (Too Many Requests) or 423 (Locked)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@powellnorma