btc-rpc-explorer icon indicating copy to clipboard operation
btc-rpc-explorer copied to clipboard

Published 20 hours ago verified publisher icon janoside

Only require RPC password when actually viewing RPC routes

Open adamgall opened this issue 4 years ago • 3 comments

Currently, when the app is configured with BTCEXP_BASIC_AUTH_PASSWORD, the Basic Auth popup is displayed as soon as the site loads.

In my opinion, the Basic Auth popup should only be displayed when the user attempts to GET/POST /rpc-terminal and/or GET /rpc-browser.

With the new behavior, then the explorer could remain public for general use, but require a password only when a user attempts to use the RPC functionality.

adamgall avatar May 13 '20 13:05 adamgall

It'd be even better to support both as a DoS protection.

Kixunil avatar Aug 01 '20 16:08 Kixunil

Not a bad idea. I'll try to rebase the PR (to fix conflicts), and keep the original functionality. Might need to think about the design a little bit.

@Kixunil as a user of btc-rpc-explorer, how would you want to configure it to switch between those two auth modes?

adamgall avatar Aug 01 '20 16:08 adamgall

Hmm, maybe BTCEXP_BASIC_AUTH_VIEW_PASSWORD and BTCEXP_BASIC_AUTH_MANAGE_PASSWORD?

Eventually, I'd love to see support for some kind of SSO though.

Kixunil avatar Aug 01 '20 18:08 Kixunil