Mongoku
Mongoku copied to clipboard
Security concern while using mongoku in docker
First of all, thank you for mongoku. It works well and its fast as well.
Docker setup
Both of these containers (mongodb & mongoku) runs within the same docker network
version: "3.9"
services:
mongoku:
image: huggingface/mongoku
container_name: mongoku
hostname: mongoku
ports:
- 3100:3100
mongo:
image: mongo
container_name: mongo
hostname: mongo
restart: always
ports:
- 27017:27017 # server access
environment:
MONGO_INITDB_ROOT_USERNAME: ${MONGODB_ADMIN_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_ADMIN_PASSWORD}
MONGO_INITDB_DATABASE: ${MONGODB_INITDB_DATABASE}
What happens
From my host machine If I access the web UI, it prompts to add a server. Once you add the server, I guess the connection string including username/password is persisted inside the container and not the user HTTP session.
Security Issue
When you open another browser (in private mode) and open the Web UI, you see the server which was added by the previous session. This becomes a security concern since any user can open the UI and see the servers added by other users.
Do let me know if there is a way around this.
Fix
The server list should be persisted in the user HTTP session and not inside the docker container.
same concern here.