Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpc-secret password isn't retained #125

Closed
gbcox opened this issue Jan 12, 2015 · 8 comments
Closed

rpc-secret password isn't retained #125

gbcox opened this issue Jan 12, 2015 · 8 comments

Comments

@gbcox
Copy link

gbcox commented Jan 12, 2015

I put the password into connection settings:
enter the secret token. I press save.
Everything works fine... but after a period of time, the password disappears, the connection drops and I have to re-enter and then save it.
I was able to manually edit the configuration.js file which got things working, as far as I can tell however the connection settings dialog doesn't write to the configuration.js file.

Also, did you think of just getting the password from the aria2.conf file?

If there is anymore information you need, let me know. Thanks!
@ziahamza
Copy link
Owner

I have to look into this. Webui cannot really read the aria2.conf as it lives in the server and is not accessible from the browser for security reasons.

-----Original Message-----
From: "Gerald Cox" [email protected]
Sent: ‎12/‎1/‎15 12:46 PM
To: "ziahamza/webui-aria2" [email protected]
Subject: [webui-aria2] rpc-secret password isn't retained (#125)

I put the password into connection settings:
enter the secret token. I press save.
Everything works fine... but after a period of time, the password disappears, the connection drops and I have to re-enter and then save it.
Also, did you think of just getting the password from the aria2.conf file?
If there is anymore information you need, let me know. Thanks!

Reply to this email directly or view it on GitHub.=

@gbcox
Copy link
Author

gbcox commented Jan 17, 2015

Understood. In my particular situation I am using a single server that runs both the Webui and aria2. I also opened an issue with aria2: aria2/aria2#329
regarding having the rpc-secret in plain text and suggested they look at the method used by the msmtp project as additional option: http://msmtp.sourceforge.net/doc/msmtp.html#passwordeval

It just doesn't seem quite right to have something called "rpc-secret" and then have it stored in plain text in every application that uses aria2 (including the aria2 conf).

@ziahamza
Copy link
Owner

Oh nice. I will follow the issue as it comes along

-----Original Message-----
From: "Gerald Cox" [email protected]
Sent: ‎18/‎1/‎15 3:32 AM
To: "ziahamza/webui-aria2" [email protected]
Cc: "hamza zia" [email protected]
Subject: Re: [webui-aria2] rpc-secret password isn't retained (#125)

Understood. In my particular situation I am using a single server that runs both the Webui and aria2. I also opened an issue with aria2: aria2/aria2#329
regarding having the rpc-secret in plain text and suggested they look at the method used by the msmtp project as additional option: http://msmtp.sourceforge.net/doc/msmtp.html#passwordeval
It just doesn't seem quite right to have something called "rpc-secret" and then have it stored in plain text in every application that uses aria2 (including the aria2 conf).

Reply to this email directly or view it on GitHub.=

@louy2
Copy link

louy2 commented Sep 6, 2015

I'm thinking about how normal web server handles password validation: hashed store, hash validation, cookie for session persistence, etc.

@ziahamza
Copy link
Owner

ziahamza commented Sep 9, 2015

Yeah, giving it a hash rather then plain text password makes more sense. Then webui can just hash the password in place and send it off to aria2 without leaking it.

@louy2
Copy link

louy2 commented Sep 9, 2015

Nvm, aria2 isn't normal web server and doesn't come with cookie and such, and the webui can do little to enhance that.

@gbcox
IMO the webUI is only providing UI, so your current setting should be fine as long as you use a safe password, you know, random with symbols, no dictionary words. The true securing should be at the server with which you serve the webUI, e.g., you can require a user certificate to access it with nginx.

@alexya
Copy link

alexya commented Aug 11, 2019
edited
Loading

@gbcox Hi, I ran the aria2 in my local machine and met the same issue as you. You mentioned that:

I was able to manually edit the configuration.js file which got things working, as far as I can tell however the connection settings dialog doesn't write to the configuration.js file.

Could u please give me help on how to edit the configuration.js file to add the token and make it work.
I did like this in the configuration.js, but failed to work.

  .constant("$authconf", {
    host: location.protocol.startsWith("http") ? location.hostname : "localhost",
    path: "/jsonrpc",
    port: 6800,
    encrypt: false,
    auth: {
      token: 'my_token_here'
    },
    directURL: "" 
  })

when starting aria2 rpc, I have set the rpc-secret=my_token_here

@no1xsyzy
Copy link
Contributor

no1xsyzy commented Aug 12, 2019
edited
Loading

@alexya try #473 (comment), configuration.js does not work before compiling.
Otherwise you can try #417.
Don't reply to a closed issue, since your problem might be and possibly be different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ziahamza @louy2 @alexya @gbcox @no1xsyzy @anthonyraymond