shinyproxy icon indicating copy to clipboard operation
shinyproxy copied to clipboard

Published 20 hours ago verified publisher icon openanalytics

basic web auth allowed

Open nbbn opened this issue 4 years ago • 2 comments

Hi, I'm surprised, because I was able to log in with http basic auth at main page of my shinyproxy instance.

Example of request:

GET http://192.168.1.2:8080/ HTTP/1.1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
Content-Length: 0
Authorization: Basic xxxx
Host: 192.168.1.2:8080

I receive code 200 and be redirected to the app.

My application.yaml:

proxy:
  title:
  landing-page: /app/application
  port: 8080
  authentication: webservice
  webservice:
    authentication-url: "${x}/auth"
    authentication-request-body: '{"login": "%s", "password": "%s"}'
  docker:
    internal-networking: true
  specs:
  - id: application
    display-name: x
    description: x
    container-image: "a:b"
    container-network: "x"

server:
  servlet.session.timeout: 0
  forward-headers-strategy: native
  secureCookies: false

Of course credentials in the header has to be valid, but still I am a little concerned, because then the browser will send this base64-encoded login and password to all requests (for example some service in the same context (protocol+host+port) will get these credentials, right?

Is it documented somewhere? Can I disable it?

Thanks, Jakub

nbbn avatar Oct 25 '21 18:10 nbbn

Hi

ShinyProxy indeed allows basic authentication. The idea is that it can be used to access the API.

(for example some service in the same context (protocol+host+port) will get these credentials, right?

Yes, I believe so, but I think requires the user to explicitly login using basic auth. E.g. by making a link http://jack:password@localhost:8080. It even seems for me that this no longer work on the latest Firefox and Chrome.

Is it documented somewhere? Can I disable it?

It isn't documented on our website and currently there is no way to disable it. I can understand the wish to disable it (although I believe the security benefits are limited, but maybe you know more?). I'll have a look at adding an option to disable it in the release after 2.6.0

LEDfan avatar Oct 27 '21 08:10 LEDfan

Hi, I try to imagine the situation in which this could be a security issue, but it's not obvious. Maybe let's just mention it in documentation and that's it.

nbbn avatar Oct 28 '21 14:10 nbbn