linkding icon indicating copy to clipboard operation
linkding copied to clipboard
verified publisher icon sissbruecker

allow login without authentication

Open cbeauhilton opened this issue 2 years ago • 7 comments

This issue grew out of issue 123

linkding and a number of other self-hosted programs have an authentication-by-default approach, with no option for access without authentication, and I get why that's the case. Tailscale and a few other tools have come in over the last few years and changed the game entirely, making me think there should always be an option for access without auth, even if the user needs to dig around in an XML file or similar to access "danger mode."

To be clear, the ideal path is: user logs into a secure network (e.g. their tailnet), and can then route to whatever apps are running on that network, without having to use app-wise authentication. Might also be nice for folks running this only on their intranet, which is basically the same thing.

As far as the UI for enabling "here be dragons" mode, would likely put it behind a few layers of "are you sure?" buttons, or make it a CLI-only option (kind of like how the only current way to make bad passwords [short, same as username, etc.] in linkding is to do it via the CLI).

cbeauhilton avatar Mar 02 '23 01:03 cbeauhilton

Also interested in this. Should this option only be allowed for a single user scenario?

mckennajones avatar Mar 10 '23 05:03 mckennajones

I could go either way. There is such a thing as a multiuser tailnet (or another intranet-style arrangement), so might be useful for e.g. corporate installs. I think if the method of activating no-PW mode is juuuuust difficult enough, it will ensure the only folks who do it have at least consented fully to the possible consequences, regardless of their intended use-case.

(This is definitely a philosophical thing, I'm more of a "and here are the footguns, key is under the rug, moving on..." kind of guy - I understand the other mode of being as well and don't want to push too hard on opening it up fully if it makes the majority of folks uncomfortable)

cbeauhilton avatar Mar 12 '23 03:03 cbeauhilton

Yeah agreed about making it just difficult enough. Curious what it would look like from a UI perspective if we allowed multiple users though. Not sure if I've seen an example of a multi-user no-PW app in the wild before. A "default" user and then a simple dropdown to switch users? At the moment there is no indication of which user you are logged in as in the UI. Could be nice to add that as part of this as well.

mckennajones avatar Mar 13 '23 16:03 mckennajones

Multiple users with an indication of which one you are would be interesting. Might also be useful to enable no-PW mode on a per-user basis, if that’s the case?

My original thought was to have the no-PW mode be for the whole instance, no separate users.

E.g. typically this would only be used in single-user instances anyway, but I suppose if some group wanted to maintain a linkding for some project, any and all could modify at will, using LAN or a multi-user tailnet for external auth.

cbeauhilton avatar Mar 23 '23 02:03 cbeauhilton

Also interested! In order to keep it as simple as possible: Could this be implemented as some "auto-login"-parameter for the linkding instance? For example by defining a username and password of an existing user for auto-login in the docker compose file for the given instance. When hitting the login page, authentication is always automatically performed with the user from the configuration. So during runtime there would still be a user logged in and it would not affect the rest of the application.

cdanne avatar Oct 27 '23 16:10 cdanne

I think the best solution would be to add mTLS support. Certificates are easily added systemwide on all systems and devices.

cyruz-git avatar Aug 19 '24 17:08 cyruz-git