Sunshine icon indicating copy to clipboard operation
Sunshine copied to clipboard
Published 3 months ago verified publisher icon LizardByte

Replace Basic Authentication with JWT Tokens, Added Login Page

Open TheElixZammuto opened this issue 2 years ago • 6 comments

Description

This PR replaces the current Login Page (which is based of the Basic Authentication) with a custom Login Page that implements Cookies + JWT to handle the session system.

This allows us to customize the UX of the login page, and it's more compatible with password managers.

The JWT Key is generated on the fly by Sunshine on each boot and is kept in memory, this allows us to not fiddle with revocation lists and storing safely the encryption key. The only side effect is that the credentials will be invalidated on a Sunshine Reboot, but the Web UI is already capable to handle this edge case and show a login modal when the credentials expire without reloading the entiere page.

This breaks the current API Authentication, but nobody uses the Web UI API as far as we know. If so, let us know!

Screenshot

2024-03-13 21_15_35-Sunshine e altre 4 pagine - Profilo 1 - Microsoft​ Edge 2024-03-13 21_26_13-Sunshine e altre 6 pagine - Profilo 1 - Microsoft​ Edge

Issues Fixed or Closed

https://ideas.moonlight-stream.org/posts/329/sunshine-use-login-page-rather-than-login-prompt

Type of Change

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [x] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Dependency update (updates to dependencies)
  • [ ] Documentation update (changes to documentation)
  • [ ] Repository update (changes to repository files, e.g. .github/...)

Checklist

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have added or updated the in code docstring/documentation-blocks for new or existing methods/components

Branch Updates

LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch must be updated before it can be merged. You must also Allow edits from maintainers.

  • [x] I want maintainers to keep my branch updated

TheElixZammuto avatar Mar 13 '24 20:03 TheElixZammuto

Hey, just curious, do we have to replace the basic authentication? I'd rather have it added as an additional authentication method. The goal is to reduce risk, but I don't think its necessary to totally kill off basic auth as its still a secure method, just not really recommended for browser usage due to it exposing password every request.

Nonary avatar Mar 23 '24 14:03 Nonary

Hey, just curious, do we have to replace the basic authentication? I'd rather have it added as an additional authentication method. The goal is to reduce risk, but I don't think its necessary to totally kill off basic auth as its still a secure method, just not really recommended for browser usage due to it exposing password every request.

Simply to simplify the authentication methods and not supporting both of them. This could be useful in situations where we would like to add different/new types of authentication systems without having to deal with this. btw I'll let @ReenigneArcher and @cgutman decide on that, I don't have a very strong opinion on that

TheElixZammuto avatar Mar 30 '24 08:03 TheElixZammuto

I agree with Elix. Less code to maintain would be my preference.

ReenigneArcher avatar Mar 30 '24 11:03 ReenigneArcher

I don't think its a good idea to drop basic authentication as it is a breaking change and it would make it practically impossible to use the webAPI outside of the browser if we implemented it via proper security practices. As for authentication becoming more difficult to maintain, it shouldn't be that way... most auth is added in via decorator or composite patterns to where it just is added on top of something.

Nonary avatar Apr 02 '24 06:04 Nonary

@Nonary are you using the API for anything? I thought you were parsing the logs files for your projects.

We did a search on GitHub and didn't really find anyone doing anything with our API.

ReenigneArcher avatar Apr 02 '24 14:04 ReenigneArcher

Codecov Report

Attention: Patch coverage is 1.80180% with 109 lines in your changes are missing coverage. Please review.

Project coverage is 6.16%. Comparing base (7fb8c76) to head (3888ec8).

Additional details and impacted files 
@@            Coverage Diff             @@
##           nightly   #2252      +/-   ##
==========================================
- Coverage     6.17%   6.16%   -0.02%     
==========================================
  Files           86      86              
  Lines        17546   17644      +98     
  Branches      8190    8263      +73     
==========================================
+ Hits          1083    1087       +4     
+ Misses       15410   14725     -685     
- Partials      1053    1832     +779
Flag Coverage Δ
Linux 4.23% <0.00%> (-0.04%) :arrow_down:
Windows 2.03% <0.00%> (-0.02%) :arrow_down:
macOS-12 8.67% <2.15%> (+0.08%) :arrow_up:
macOS-13 7.79% <1.07%> (-0.05%) :arrow_down:
macOS-14 8.12% <1.07%> (-0.05%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
src/confighttp.cpp 1.28% <1.80%> (+0.52%) :arrow_up:

... and 25 files with indirect coverage changes

codecov[bot] avatar Apr 27 '24 13:04 codecov[bot]