forked from Github/frigate
Auth! (#11347)
* reload the window on 401 * backend apis for auth * add login page * re-enable web linter * fix login page routing * bypass csrf for internal auth endpoint * disable healthcheck in devcontainer target * include login page in vite build * redirect to login page on 401 * implement config for users and settings * implement JWT actual secret * add brute force protection on login * add support for redirecting from auth failures on api calls * return location for redirect * default cookie name should pass regex test * set hash iterations to current OWASP recommendation * move users to database instead of config * config option to reset admin password on startup * user management UI * check for deleted user on refresh * validate username and fixes * remove password constraint * cleanup * fix user check on refresh * web fixes * implement auth via new external port * use x-forwarded-for to rate limit login attempts by ip * implement logout and profile * fixes * lint fixes * add support for user passthru from upstream proxies * add support for specifying a logout url * add documentation * Update docs/docs/configuration/authentication.md Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com> * Update docs/docs/configuration/authentication.md Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com> --------- Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
This commit is contained in:
Blake Blackshear
@@ -63,6 +63,45 @@ database:
|
||||
# The path to store the SQLite DB (default: shown below)
|
||||
path: /config/frigate.db
|
||||
|
||||
# Optional: Authentication configuration
|
||||
auth:
|
||||
# Optional: Authentication mode (default: shown below)
|
||||
# Valid values are: native, proxy
|
||||
mode: native
|
||||
# Optional: Reset the admin user password on startup (default: shown below)
|
||||
# New password is printed in the logs
|
||||
reset_admin_password: False
|
||||
# Optional: Cookie to store the JWT token for native auth (default: shown below)
|
||||
cookie_name: frigate_token
|
||||
# Optional: Session length in seconds (default: shown below)
|
||||
session_length: 86400 # 24 hours
|
||||
# Optional: Refresh time in seconds (default: shown below)
|
||||
# When the session is going to expire in less time than this setting,
|
||||
# it will be refreshed back to the session_length.
|
||||
refresh_time: 43200 # 12 hours
|
||||
# Optional: Mapping for headers from upstream proxies. Only used in proxy auth mode.
|
||||
# NOTE: Many authentication proxies pass a header downstream with the authenticated
|
||||
# user name. Not all values are supported. It must be a whitelisted header.
|
||||
# See the docs for more info.
|
||||
header_map:
|
||||
user: x-forwarded-user
|
||||
# Optional: Rate limiting for login failures to help prevent brute force
|
||||
# login attacks (default: shown below)
|
||||
# See the docs for more information on valid values
|
||||
failed_login_rate_limit: None
|
||||
# Optional: Trusted proxies for determining IP address to rate limit
|
||||
# NOTE: This is only used for rate limiting login attempts and does not bypass
|
||||
# authentication in any way
|
||||
trusted_proxies: []
|
||||
# Optional: Url for logging out a user. This only needs to be set if you are using
|
||||
# proxy mode.
|
||||
logout_url: /api/logout
|
||||
# Optional: Number of hashing iterations for user passwords
|
||||
# As of Feb 2023, OWASP recommends 600000 iterations for PBKDF2-SHA256
|
||||
# NOTE: changing this value will not automatically update password hashes, you
|
||||
# will need to change each user password for it to apply
|
||||
hash_iterations: 600000
|
||||
|
||||
# Optional: model modifications
|
||||
model:
|
||||
# Optional: path to the model (default: automatic based on detector)
|
||||
|
||||
Reference in New Issue
Block a user