umbrel
umbrel copied to clipboard
getumbrel
Double authentication
All my apps require me to login twice now, once for the proxy and once for the real app.
Examples are: ThunderHub, Pi-Hole, and many others.
Technically the proxy should be able to do the second login itself, since all passwords are known to Umbrel.
So is this something that will soon be fixed? Or will it stay this way?
This definitely sounds like a bug and is it not the intention. How are you accessing your Umbrel server? Via, umbrel.local, over Tor, using Tailscale, etc?
Thanks, Steve
I'm running Umbrel on Ubuntu 22.04, and umbrel.local has never worked for me, so I'm always using the IP address of the machine.
But I just tried it using the hostname (umbrel) and it's the same issue.
Ah ok. Re, the .local domain, you probably don't have avahi installed which makes this work. If you install that set the hostname of the system to umbrel, it should then work. Within Umbrel OS, we automatically install this for users, but this sounds like a custom install.
Re this double authentication; What web browser are you using? And when this happens, are you first visiting Umbrel's Web UI, logging in and then clicking an app, and then being prompted to login again? Or, are you going directly to an app via its port number?
I installed avahi when I upgraded to 0.5 but I never tried the.local domain because in the past it never worked. I tried it now, and it is working. But it makes no difference to the issue.
I am using Samsung Internet on Android 12. I am visiting Umbrel's web UI and clicking on the icon.
@kroese Glad to hear it's now working :)
Give me a little bit of time to look at this double authentication issue, but I will try to resolve as soon as I can.
@nevets963 I just tried it on Chrome for Android, and I have the same there.
So it does not seem browser-specific or related to cookies, etc. I guess it's something server-side.
@kroese Myself and the team have not been able to replicate this issue, so I don't know where to look. Are you able to provide very specific steps so that I can give them a go on our side? I tried several combinations, so I'm not sure what I'm missing. Thanks!
I just try to load the ThunderHub site on port 3000. Then I get redirected to the app-proxy for authentication on port 2000. After that I get redirected to the login-screen for ThunderHub on port 3000 again.
If the app-proxy is sending the authentication POST request to the app (ThunderHub), I assume those results will be logged somewhere in case of failure?
Also, in the YML files I never saw any reference to the URL that the app-proxy uses to automate the login? Where is this configured?
Ok, what you're describing here is the expected behaviour:
I just try to load the ThunderHub site on port 3000. Then I get redirected to the app-proxy for authentication on port 2000. After that I get redirected to the login-screen for ThunderHub on port 3000 again.
Assuming what you mean by "login-screen for ThunderHub" is a login screen provided by Thunderhub, not an Umbrel login screen?
This double authentication is because Thunderhub uses it's own authentication system (using a deterministic password that we provide the app). We're currently in the process of asking developers to drop these secondary authentication systems to improve the overall UX.
The auth server on port 2000 posts a token and HMAC to the app proxy running on 3000 that 'fronts' Thunderhub. The app proxy receives that request here: https://github.com/getumbrel/umbrel/blob/0f2212821bd1fc2a617b389fd26fcde97c5103d3/deps/app-proxy/routes/umbrel.js#L17
I don't see an issue here. I will close this if you confirm the behaviour above re Thunderhub's login screen.
I stated this already in the first post, that I was talking about the two seperate authentication systems. And my suggestion was that:
Technically the proxy should be able to do the second login itself, since all passwords are known to Umbrel.
So instead of asking all developers to modify their software (which not all of them will do), it would make more sense that the proxy automates this authentication for the user. By sending the POST request with the right credentials so that the user is automaticly logged in.
The only thing needed to implement this would be some values in the .yml file to specify the login-url including the query parameters to be used by the proxy.
As each apps has it's own properitary login system/forms/UIs, I don't see how we can reliably do this.
The problem with this:
The only thing needed to implement this would be some values in the .yml file to specify the login-url including the query parameters to be used by the proxy.
Is: Some apps complete auth via AJAX and then use local storage to store the token returned, so this wouldn't work universally
You are right that there might be some apps that don't support login by a simple POST request, but I assume it's a small minority.
But your alternative (asking developers to completely remove the need for authentication) has downsides too. Because the port used for unauthorized login is still publicly exposed by the container, and can be used to bypass the proxy.
So this will mean that a malicous app in Umbrel can make a connection to my Thunderhub for example, and steal all the money.
But your alternative (asking developers to completely remove the need for authentication) has downsides too. Because the port used for unauthorized login is still publicly exposed by the container, and can be used to bypass the proxy.
So this will mean that a malicous app in Umbrel can make a connection to my Thunderhub for example, and steal all the money.
Yeah totally agree with you. It's not perfect in its current state. We do actually have a solution in the pipeline for this but it's not yet ready. It's documented in our security roadmap, I'll quote the relevant section here:
No Network Level Sandboxing
Apps already have process level sandboxing and filesystem level sandboxing but not network level sandboxing. We plan to implement network level sandboxing so one app will not be able to interact with another app over the network. Apps will also not be able to interact with other physical devices on the local network without explicitly asking the user for permission.
- https://github.com/getumbrel/umbrel/blob/master/SECURITY.md
We're still in beta and the app sandbox is not completed yet. It still provides pretty good protection today, but as you rightly point out, there are methods to break out of it and interact with certain apps that won't be resolved until we have network level sandboxing implemented.
We have some pretty cool ideas on how this will work. We don't want to leak to much about this yet but happy to ping you when the feature is ready.
