mirror of
https://github.com/blakeblackshear/frigate.git
synced 2024-11-21 19:07:46 +01:00
add setting for secure flag on cookie (#11422)
* add setting for secure flag on cookie * docs fix
This commit is contained in:
parent
3ce8816b9a
commit
402f5fa142
@ -18,11 +18,11 @@ Frigate supports two modes for authentication
|
|||||||
|
|
||||||
Frigate stores user information in its database. Password hashes are generated using industry standard PBKDF2-SHA256 with 600,000 iterations. Upon successful login, a JWT token is issued with an expiration date and set as a cookie. The cookie is refreshed as needed automatically. This JWT token can also be passed in the Authorization header as a bearer token.
|
Frigate stores user information in its database. Password hashes are generated using industry standard PBKDF2-SHA256 with 600,000 iterations. Upon successful login, a JWT token is issued with an expiration date and set as a cookie. The cookie is refreshed as needed automatically. This JWT token can also be passed in the Authorization header as a bearer token.
|
||||||
|
|
||||||
Users are managed in the UI under Settings > Authentication.
|
Users are managed in the UI under Settings > Users.
|
||||||
|
|
||||||
#### Onboarding
|
#### Onboarding
|
||||||
|
|
||||||
On startup, an admin user and password are generated and printed in the logs. It is recommended to set a new password for the admin account after logging in for the first time under Settings > Authentication.
|
On startup, an admin user and password are generated and printed in the logs. It is recommended to set a new password for the admin account after logging in for the first time under Settings > Users.
|
||||||
|
|
||||||
#### Resetting admin password
|
#### Resetting admin password
|
||||||
|
|
||||||
|
@ -73,6 +73,9 @@ auth:
|
|||||||
reset_admin_password: False
|
reset_admin_password: False
|
||||||
# Optional: Cookie to store the JWT token for native auth (default: shown below)
|
# Optional: Cookie to store the JWT token for native auth (default: shown below)
|
||||||
cookie_name: frigate_token
|
cookie_name: frigate_token
|
||||||
|
# Optional: Set secure flag on cookie. (default: shown below)
|
||||||
|
# NOTE: This should be set to True if you are using TLS
|
||||||
|
cookie_secure: False
|
||||||
# Optional: Session length in seconds (default: shown below)
|
# Optional: Session length in seconds (default: shown below)
|
||||||
session_length: 86400 # 24 hours
|
session_length: 86400 # 24 hours
|
||||||
# Optional: Refresh time in seconds (default: shown below)
|
# Optional: Refresh time in seconds (default: shown below)
|
||||||
|
@ -160,10 +160,10 @@ def create_encoded_jwt(user, expiration, secret):
|
|||||||
return jwt.encode({"alg": "HS256"}, {"sub": user, "exp": expiration}, secret)
|
return jwt.encode({"alg": "HS256"}, {"sub": user, "exp": expiration}, secret)
|
||||||
|
|
||||||
|
|
||||||
def set_jwt_cookie(response, cookie_name, encoded_jwt, expiration):
|
def set_jwt_cookie(response, cookie_name, encoded_jwt, expiration, secure):
|
||||||
# TODO: ideally this would set secure as well, but that requires TLS
|
# TODO: ideally this would set secure as well, but that requires TLS
|
||||||
response.set_cookie(
|
response.set_cookie(
|
||||||
cookie_name, encoded_jwt, httponly=True, expires=expiration, secure=False
|
cookie_name, encoded_jwt, httponly=True, expires=expiration, secure=secure
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@ -196,6 +196,7 @@ def auth():
|
|||||||
fail_response.headers["location"] = "/login"
|
fail_response.headers["location"] = "/login"
|
||||||
|
|
||||||
JWT_COOKIE_NAME = current_app.frigate_config.auth.cookie_name
|
JWT_COOKIE_NAME = current_app.frigate_config.auth.cookie_name
|
||||||
|
JWT_COOKIE_SECURE = current_app.frigate_config.auth.cookie_secure
|
||||||
JWT_REFRESH = current_app.frigate_config.auth.refresh_time
|
JWT_REFRESH = current_app.frigate_config.auth.refresh_time
|
||||||
JWT_SESSION_LENGTH = current_app.frigate_config.auth.session_length
|
JWT_SESSION_LENGTH = current_app.frigate_config.auth.session_length
|
||||||
|
|
||||||
@ -256,7 +257,11 @@ def auth():
|
|||||||
user, new_expiration, current_app.jwt_token
|
user, new_expiration, current_app.jwt_token
|
||||||
)
|
)
|
||||||
set_jwt_cookie(
|
set_jwt_cookie(
|
||||||
success_response, JWT_COOKIE_NAME, new_encoded_jwt, new_expiration
|
success_response,
|
||||||
|
JWT_COOKIE_NAME,
|
||||||
|
new_encoded_jwt,
|
||||||
|
new_expiration,
|
||||||
|
JWT_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
success_response.headers["remote-user"] = user
|
success_response.headers["remote-user"] = user
|
||||||
@ -284,6 +289,7 @@ def logout():
|
|||||||
@limiter.limit(get_rate_limit, deduct_when=lambda response: response.status_code == 400)
|
@limiter.limit(get_rate_limit, deduct_when=lambda response: response.status_code == 400)
|
||||||
def login():
|
def login():
|
||||||
JWT_COOKIE_NAME = current_app.frigate_config.auth.cookie_name
|
JWT_COOKIE_NAME = current_app.frigate_config.auth.cookie_name
|
||||||
|
JWT_COOKIE_SECURE = current_app.frigate_config.auth.cookie_secure
|
||||||
JWT_SESSION_LENGTH = current_app.frigate_config.auth.session_length
|
JWT_SESSION_LENGTH = current_app.frigate_config.auth.session_length
|
||||||
content = request.get_json()
|
content = request.get_json()
|
||||||
user = content["user"]
|
user = content["user"]
|
||||||
@ -299,7 +305,9 @@ def login():
|
|||||||
expiration = int(time.time()) + JWT_SESSION_LENGTH
|
expiration = int(time.time()) + JWT_SESSION_LENGTH
|
||||||
encoded_jwt = create_encoded_jwt(user, expiration, current_app.jwt_token)
|
encoded_jwt = create_encoded_jwt(user, expiration, current_app.jwt_token)
|
||||||
response = make_response({}, 200)
|
response = make_response({}, 200)
|
||||||
set_jwt_cookie(response, JWT_COOKIE_NAME, encoded_jwt, expiration)
|
set_jwt_cookie(
|
||||||
|
response, JWT_COOKIE_NAME, encoded_jwt, expiration, JWT_COOKIE_SECURE
|
||||||
|
)
|
||||||
return response
|
return response
|
||||||
return make_response({"message": "Login failed"}, 400)
|
return make_response({"message": "Login failed"}, 400)
|
||||||
|
|
||||||
|
@ -135,6 +135,7 @@ class AuthConfig(FrigateBaseModel):
|
|||||||
cookie_name: str = Field(
|
cookie_name: str = Field(
|
||||||
default="frigate_token", title="Name for jwt token cookie", pattern=r"^[a-z]_*$"
|
default="frigate_token", title="Name for jwt token cookie", pattern=r"^[a-z]_*$"
|
||||||
)
|
)
|
||||||
|
cookie_secure: bool = Field(default=False, title="Set secure flag on cookie")
|
||||||
session_length: int = Field(
|
session_length: int = Field(
|
||||||
default=86400, title="Session length for jwt session tokens", ge=60
|
default=86400, title="Session length for jwt session tokens", ge=60
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user