motioneye
motioneye copied to clipboard
motioneye-project
[FEATURE REQUEST] Support Proxy Authentication
I'd like to have a configuration option that allows me to set a HTTP Header that can used for doing external proxy authentication with e.g. Authentik.
As an example see PAPERLESS_ENABLE_HTTP_REMOTE_USER and PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME in Paperless docs: https://paperless-ngx.readthedocs.io/en/latest/configuration.html#hosting-security
Motioneye would just have to accept the presence of this header as a valid session with the supplied user and skip it's own login process.
Many thanks for your request.
I see the idea behind it, but how far I can think about it, it seems to be quite complicate to implement since motionEye supports an admin and a surveillance user (multiple ones are requested already) where different GUI elements are shown. And how should motionEye know which header is for authentication, i.e. when to skip the internal authentication, which header is for username, whether these usernames match the ones configured in motionEye, to know which GUI elements to show, and whether the header is just set by an attacker without any actual authentication being done: So motionEye would disable it's authentication for everyone who knows that just this header needs to be set.
At least it must be a dedicated option to explicitly disable motionEye's authentication, not done based on any header. But still unsure how to deal with usernames and user-dependant GUI elements: It must be assured that a person behind the surveillance user cannot gain admin GUI access. Basically I see no chance besides a motionEye setting which allow to set respective username headers explicitly as trusted header, with the risk on user end, like Satisfy Any in Apache.
Thanks for the fast response!
seems to be quite complicate to implement since motionEye supports an admin and a surveillance user (multiple ones are requested already) where different GUI elements are shown.
Authentik (and I guess other authentication tools too) can also supply group-memberships via additional headers. But this would be an extra - as a mvp it's totally sufficient to just use the Motioneye internal user database. So if a header auth takes place the user has to exist in Motioneye already and Motioneye itself knowns if its an admin or an surveillance user (that's how many other applications handle that too)
So motionEye would disable it's authentication for everyone who knows that just this header needs to be set.
Yes, I think it would be sufficient just to point out that the Header-auth should only be enabled if a reverse proxy handles access and prevents this header to be forwarded from outside. From Paperless docs as example:
This will allow authentication by simply adding a Remote-User: <username> header to a request.
Use with care!
You especially must ensure that any such header is not passed from your proxy server to paperless.
If you’re exposing paperless to the internet directly, do not use this.
Also i think it isn't needed to disable Motioneyes own authentication, it's sufficient to just accept the Header-auth as an alternative to open a session by user/password login.
At least it must be a dedicated option to explicitly disable motionEye's authentication, not done based on any header
Sure, Motioneye should not just accept this header per se - only if it's explicitly enabled by a config option.
Perhaps https://goauthentik.io/docs/providers/proxy/ is helpful too to get a full picture of what I want to achieve.
All in all I think this approach is much more simplistic and less error-prone then implementing external auth mechanisms like SAML/OAuth/LDAP in Motioneye itself. With Header auth all that complicated stuff would be done by another specialized software like Authentik, I really like that approach and I'm already happily using it with e.g. Octoprint, Paperless and Netbox.
Ah so we could have a look into how OctoPrint implemented it to not reinvent it from scratch, that is good.
Yes, see https://github.com/OctoPrint/OctoPrint/blob/master/src/octoprint/server/util/init.py#L231