timetagger
timetagger copied to clipboard
almarklein
Allow for automatic authentication
It would be nice to have some way of automatically signing the user in without any interaction.
The use case is the following: I have timetagger running behind Authentik which handles authentication and passes the username as an HTTP-header. When this header is passed, the user is authenticated and should be logged in automatically. I have currently solved it with my custom run script, but for it to work, the user first has to click on sign in at the start page and then again at the sign-in page, which is kind of annoying.
Is there any way around that?
First a recap of how I intended auth to work:
- Via a login procedure, establish the user's identity (username), and hand out a (timetagger-specific) webtoken.
- All subsequent API requests send the token along to authenticate them.
- The webtokens expire, but also auto-refresh. When the app is not used for a week (?) the user will have to login again.
Your question is (I think) about making step 1 as easy as possible, requiring the minimal amount of clicks. By default, step 1 consists of a login page where the credentials can be filled in. On timetagger.app, this login page is replaced with a page that redirects to Auth0, and Auth0 will - once the auth is done - redirect to my /authcb page, which handles the incoming info from Auth0 and does an API call to get the webtoken. I suspect you should be able to do something similiar with Authentik.
What is the URL for /authcb? I don't see this mentioned anywhere in the docs, but sounds like it's what I need to get a simpler sign-on using Authelia.
Edit - I tried timetagger/app/authcb and timetagger/authcb and both went to a 404 page. I see it on https://timetagger.app - is it not part of the self-hosted version?
@dorianim, I got around the first sign-in on the Start page by changing line 85 in run.py to:
return 307, {"Location": "/timetagger/app/"}, b"" # Redirect
This still requires the user to click the 'login' button again on the login page, but a username and password does not need to be entered. Looks like you might have done this already on line 51 of your customized run.py.
I don't see how that page can be bypassed at all when authenticated via Authelia or Authentik.
/authcb is a page that you add to your modified version, and this is where you handle the authenticator's specific info. For https://timetagger.app this page receives info via /authcb?query_args. It looks like with Authelia you should check the headers. Anyway, the page should have JS that collects the authentication info, and then does an API call to the server to exchange that info for a (timetagger-specific) webtoken.
I don't see how that page can be bypassed at all when authenticated via Authelia or Authentik.
The flow would be this:
- The user navigates (or gets send to)
/login. - Redirect to authentication service (e.g. Authelia).
- Service redirects to
/authcb. - On that page you do an API call to obtain the webtoken, and store it.
- Then you can redirect to e.g.
/app(e.g. JS can setlocation.href).
Ok, so the /authcb page would need to be written custom then? That is definitely beyond my skill level.
Yes ... mmm I can see how this is indeed not trivial. Would be good to have an example of this. Maybe I can open-source the version that used Auth0, and refactor it a bit so it can be modified for other auth providers.
The solution that you have in place now, by modifying the server to take the Authelia username from the header is fine to, I suppose. To get back to your original question :) you could also change the login page so that it redirects instead of the user having to click a button. Something like this:
<html>
<body>
<script>
async function login() {
let url = 'https://your.authelia.com/page';
await tools.sleepms(50);
location.replace(url);
}
window.addEventListener('load', login);
</script>
</body>
</html>
Having a page or example for authcb would be great!
I have authelia currently redirecting to 'timetagger/login' after authenticating. I'll see how far I can with the code you provided above over the weekend.