Can login be disabled?

[ocdtrekkie]

Is your feature request related to a problem? Please describe.
I host my apps on a Sandstorm.io server, where the platform handles login, starts and stops apps, and prevents unauthorized users from accessing running sessions of an app. Having a separate registration and login would make it hard to meaningfully package this for Sandstorm.

Additionally, if it didn't add another login barrier, a user could create a separate instance of 2FAuth (Sandstorm allows users to create many instances of any app), and share it with another user, if it was a 2FA for a shared account.

Describe the solution you'd like
Since 2FAuth is already single-user by design, ideally, a configuration option that disables the login/registration screens.

Describe alternatives you've considered
If there is a way to script the account creation... but I'm not sure that would remove the seamless login issue.

[Bubka]

Hello

I had a look to the Sandstorm.io doc, I guess the best approch would be to make 2FAuth a Sandstorm package.
I will think about it.

[ocdtrekkie]

I could probably look into the packaging part, SQLite-based apps work pretty well on Sandstorm. But the big thing I see being a blocker is that we'd need to suppress the app's own login mechanism, hence the feature request. :)

[rpatel3001]

Gonna bump this instead of creating a new thread because it's somewhat related. I'm hosting this package behind a reverse proxy that handles SSO for all my software via OAuth. The client applications either don't have login or look for a header that is forwarded from the OAuth provider with the username/email. From a quick look Sandstorm does the same thing. This could be implemented by looking for a configurable header name for a configurable unique identifier (email or username) and bypassing the login screen if the username/email match an existing user. It could possibly be extended by allowing signing up via this method also but that's probably a rare use case for this app. An implementation of this can be found in Grafana: https://grafana.com/docs/grafana/latest/auth/auth-proxy/

[Bubka]

Interesting read, this enlighten me on topic I've never really investigate 👍🏻

For now 2FAuth only use local sign-in with bearer token, but Laravel Passport supports OAuth.
I'm working on a new version where 2FAuth will be fully API oriented, I've already planned to implement Personal Access Token management.
I think I will go further and also support auth proxy, it's the good opportunity.

[Bubka]

2FAuth v3 now supports authentication proxy : https://docs.2fauth.app/security/authentication/#authentication-proxy

It works exactly as @rpatel3001 described it, by looking for a dedicated header passed by the proxy. It should work at sandstorm.io, please let me know.

[ocdtrekkie]

This is very exciting. I've had a reminder floating around weekly I should check back for this for... a long time. I'll try to play with it ASAP.

[rpatel3001]

Thanks! I tried this out and couldn't get it to work. I upgraded to the latest docker image, which worked fine, but when I add

- AUTHENTICATION_GUARD=reverse-proxy-guard
- AUTH_PROXY_HEADER_FOR_USER=X-FORWARDED-USER
- AUTH_PROXY_HEADER_FOR_EMAIL=X-FORWARDED-USER

to my docker-compose config I am unable to login at all. If I tail -f the laravel log inside the container when I visit the page, I get a stack trace (here).

[rpatel3001]

Strangely enough, after restarting the container, it seems to be working perfectly well.

[ocdtrekkie]

I am working on a Sandstorm package, but I have to rewire where Laravel stores the logs for it to work, will report back soon on my end.

[rpatel3001]

@Bubka and the problem is back again today. When I visit the page with the correct header in place, it still redirects me to /login. Clicking "Sign in" leads me to a /error with message "Server Error". Clicking refresh or close gets me a brief glimpse at /accounts (which appears correct) before a redirect back to /login.

[Bubka]

Could you please open a dedicated issue, I will have a look.

Also, set the env var APP_DEBUGto true to get more details on the returned errors.