[FEATURE_REQUEST] Stay connected (when auth activated), 2FA auth, log file for connection attempt about dashy HOT 11 CLOSED

Hi @MilesTEG1 - thanks for raising this :)
I've added an option for you to select how long the session should last before expiring in #66
This is what it looks like:

from dashy.

Unfortunately your other two requests are outside the scope, so I won't be implementing them at this time. I recommend implement this on your server instead.

@EVOTk recommend Authelia, which can be used in conjunction with your reverse proxy (like NGINX, Traefik, etc). It supports 2-Factor authentication, and you can use it globally across your lab, so should be much more convenient. I found this video by Techno Tim very useful for getting started.

Just to reiterate, if your dashboard is exposed to the internet and/ or contains any sensitive data, you should not rely on Dashy's login page. It is handled on the client-side, which means it is possible for an attacker to potentially reverse-engineer. It's definitely better than nothing, but is really intended for use within the safe walls of your local network, to restrict access for those who share your server.

from dashy.

Salut,
As tu lu https://github.com/Lissy93/dashy/blob/master/docs/authentication.md#security

Tu verra que la page de login de Dashy n'est pas a l'epreuvre des balles du fait de ca conception et qu'il est recommandé d'utiliser autre chose comme Authelia, ngnix,. ..

Translate :
Hi,
Have you read https://github.com/Lissy93/dashy/blob/master/docs/authentication.md#security

You will see that Dashy's login page is not bulletproof due to this design and that it is recommended to use something else like Authelia, ngnix ,. ..

from dashy.

@EVOTk
Salut ✋🏻
Oui j'ai lu cette page, mais ça me semble un peu complexe à mettre en place pour moi...
Faut que tu fasses un tuto détaillé 😄

Translate :
Hello ✋🏻
Yes I read this page, but it seems a bit too complicate to set it up for me...
You have to made a detail tuto 😄

from dashy.

Thanks for the answer.

I think I let Dashy stay inside my LAN only... not expose to internet with a domaine name.
Implementing Authelia on my NAS would be too complicated for me...
I use the DSM reverse-proxy (based on nginx), but I don't have completly the hand on it...

So for now, I'll stick with basic auth :)

But, could it be possible to have a connection log (in a .log file accessible with a volume) (failed one, successfull one) to have my fail2ban container working on it ?

from dashy.

I'm not sure about the connection log. The login is very simple, and I don't want to over-complicate things, and risk increasing the attack surface. A connection log would involve writing to a file, and if that's done by an unauthenticated user it could be abused by an attacker. This is because unlike server-side apps, Dashy is mostly a frontend app, and so it's possible to use the browsers dev tools to intercept and modify requests.

At the end of the day, I think most users who will want these kind of features will use a different authentication method. Sorry about that. But if you've got it within your LAN, then why don't you restrict which IPs can access Dashy instead? Say only allow access from yourself, do it on your web server, and it will be quite safe.

from dashy.

Hey @MilesTEG1 - Sorry I forgot to update you sooner, but just to let you know that both 2-factor auth and failed attempts logging is now implemented, though integrating with Keycloak. This was merged in #174 so you need to be using V-1.6.5 or later. You can learn more about how to set this up it in the authentication docs.

Keycloak also allows for SSO, plus many more features than I could ever feasibly implement with Dashy's basic auth, and since it's handled server-side it is also more secure too - I think you'll like it! Feel free to reach out if you have any more questions :)

from dashy.

Hello @Lissy93
Great news, I'll go check the doc to see how I can set it up :)
But I don't know what is Keycloak...

Thanks for the heads-up :)

from dashy.

It seems a bit too complicated for me...

from dashy.

Ah ok, no worries :)
Is it because the docs aren't clear enough, or just because there's more things to setup versus the basic auth?

from dashy.

It's more beacause there is much more to setup yes :) And the fact that it use another service.
Maybe one day I try it :)
For now, the actual auth should be enough. I only use it on my LAN, and with the reverse proxy with Access Control limited to the LAN IP and my VPN IP.
I wonder if it could be possible to extend a little bit the remember me values :)

from dashy.