Skip to content

Commit

Permalink
preliminary web support for auth (#26)
Browse files Browse the repository at this point in the history
Some caveats:

  * it doesn't record the peer IP yet, which makes it harder to verify
    sessions are valid. This is a little annoying to do in hyper now
    (see hyperium/hyper#1410). The direct peer might not be what we want
    right now anyway because there's no TLS support yet (see #27).  In
    the meantime, the sane way to expose Moonfire NVR to the Internet is
    via a proxy server, and recording the proxy's IP is not useful.
    Maybe better to interpret a RFC 7239 Forwarded header (and/or
    the older X-Forwarded-{For,Proto} headers).

  * it doesn't ever use Secure (https-only) cookies, for a similar reason.
    It's not safe to use even with a tls proxy until this is fixed.

  * there's no "moonfire-nvr config" support for inspecting/invalidating
    sessions yet.

  * in debug builds, logging in is crazy slow. See libpasta/libpasta#9.

Some notes:

  * I removed the Javascript "no-use-before-defined" lint, as some of
    the functions form a cycle.

  * Fixed #20 along the way. I needed to add support for properly
    returning non-OK HTTP statuses to signal unauthorized and such.

  * I removed the Access-Control-Allow-Origin header support, which was
    at odds with the "SameSite=lax" in the cookie header. The "yarn
    start" method for running a local proxy server accomplishes the same
    thing as the Access-Control-Allow-Origin support in a more secure
    manner.
  • Loading branch information
scottlamb committed Nov 27, 2018
1 parent 679370c commit 422cd2a
Show file tree
Hide file tree
Showing 21 changed files with 923 additions and 212 deletions.
1 change: 0 additions & 1 deletion .eslintrc.json
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,5 @@
"no-shadow-restricted-names": ["error"],
"no-undef": ["error", {"typeof": true}],
"no-unused-vars": ["error", { "vars": "all", "args": "after-used", "ignoreRestSiblings": false }],
"no-use-before-define": ["error", { "functions": true, "classes": true }]
}
}
22 changes: 8 additions & 14 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ bundled = ["rusqlite/bundled"]
members = ["base", "db", "ffmpeg"]

[dependencies]
base64 = "0.9.0"
bytes = "0.4.6"
byteorder = "1.0"
docopt = "1.0"
Expand All @@ -30,6 +31,7 @@ hyper = "0.12.9"
lazy_static = "1.0"
libc = "0.2"
log = { version = "0.4", features = ["release_max_level_info"] }
memchr = "2.0.2"
memmap = "0.7"
moonfire-base = { path = "base" }
moonfire-db = { path = "db" }
Expand All @@ -39,6 +41,7 @@ openssl = "0.10"
parking_lot = { version = "0.6", features = [] }
reffers = "0.5.1"
regex = "1.0"
ring = "0.12.1"
rusqlite = "0.14"
serde = "1.0"
serde_derive = "1.0"
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ less than 10% of the machine's total CPU.

So far, the web interface is basic: a filterable list of video segments,
with support for trimming them to arbitrary time ranges. No scrub bar yet.
There's also no support for motion detection, no authentication, and no config
UI.
There's also no support for motion detection, no https/SSL/TLS support (you'll
need a proxy server), and no config UI.

![screenshot](screenshot.png)

Expand Down
3 changes: 2 additions & 1 deletion db/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,13 @@ nightly = []
path = "lib.rs"

[dependencies]
base64 = "0.9.0"
blake2-rfc = "0.2.18"
failure = "0.1.1"
fnv = "1.0"
lazy_static = "1.0"
libc = "0.2"
libpasta = { git = "https://github.com/scottlamb/libpasta", branch = "pr-default-ring" }
libpasta = "0.1.0-rc2"
log = "0.4"
lru-cache = "0.1"
moonfire-base = { path = "../base" }
Expand Down
Loading

0 comments on commit 422cd2a

Please sign in to comment.