Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Ability to require auth #1406

Closed
dbnewman opened this issue Feb 28, 2024 · 11 comments · Fixed by #2374
Closed

[Request] Ability to require auth #1406

dbnewman opened this issue Feb 28, 2024 · 11 comments · Fixed by #2374
Labels
🌠 Feature Request New feature or request | 特性与建议 Inactive No response in 30 days | 超过 30 天未活跃 released
Milestone

Comments

@dbnewman
Copy link

🥰 Feature Description

It appears there is no way to enforce auth, instead the user is presented the application and the auth option is added to settings.

🧐 Proposed Solution

There should be a configuration item to enforce auth preventing access to the app unless a user is logged in.

📝 Additional Information

No response

@dbnewman dbnewman added the 🌠 Feature Request New feature or request | 特性与建议 label Feb 28, 2024
@lobehubbot
Copy link
Member

👀 @dbnewman

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事,并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

@arvinxx
Copy link
Contributor

arvinxx commented Feb 28, 2024

@cy948 what's your idea about this?

@cy948
Copy link
Contributor

cy948 commented Feb 28, 2024

@cy948 what's your idea about this?

Perhaps we can restrict access to all routes by non-authenticated users and set up a login page.

@cy948
Copy link
Contributor

cy948 commented Feb 28, 2024

I think the current protection of resources is sufficient. By specifying ACCESS_CODE or using OAuth, we can prevent unauthorized users from abusing our resources.

  • If you want personalized page access control, you can refer to the documentation of NextAuth and implement it in your own project.
  • Or if you want to extend the existing access control, you can try modifying some files. For example, if you want to force everyone chat after OAuth or provide ACCESS_CODE, you can modify the code like this:
    in src\app\api\chat\auth.ts:
export const checkAuthMethod = (
  accessCode?: string,
  apiKey?: string,
  oauthAuthorized?: boolean,
) => {
  const { ACCESS_CODES, ENABLE_OAUTH_SSO } = getServerConfig();

  // if OAuth 2 header is provided
  if (ENABLE_OAUTH_SSO && oauthAuthorized) return;

  // if apiKey exist
- if (apiKey) return;

  // if accessCode doesn't exist
  if (!ACCESS_CODES.length) return;

  if (!accessCode || !ACCESS_CODES.includes(accessCode)) {
    console.warn('tracked an invalid access code, 检查到输入的错误密码:', accessCode);
    throw AgentRuntimeError.createError(ChatErrorType.InvalidAccessCode);
  }
};

@dbnewman
Copy link
Author

To give some context, the type of auth we are looking for is what OpenAI have implemented, where you need to authenticate BEFORE seeing the front end, we are looking to use this for internal users, but will be using public cloud infrastructure so having that auth in front of the application reduces the possible impact of any vulnerabilities.

The current implementation will load the front end without any auth, and then request auth to use any of the functions.

@cy948
Copy link
Contributor

cy948 commented Feb 28, 2024

To give some context, the type of auth we are looking for is what OpenAI have implemented, where you need to authenticate BEFORE seeing the front end, we are looking to use this for internal users, but will be using public cloud infrastructure so having that auth in front of the application reduces the possible impact of any vulnerabilities.

The current implementation will load the front end without any auth, and then request auth to use any of the functions.

This feature may require community discussion before being implemented. In the meantime, you can use the access control features provided by the public cloud you are using, such as deployment-protection on Vercel.

@shigomany
Copy link

I think we need to use something like an admin that can register users. To be able to open Lobe Chat on any device on the web under your user (with your own data about chats and settings)

@arvinxx
Copy link
Contributor

arvinxx commented Mar 1, 2024

I think we need to use something like an admin that can register users. To be able to open Lobe Chat on any device on the web under your user (with your own data about chats and settings)

We are considering this seriously. And you will see the change happen 😄

@shigomany
Copy link

I think we need to use something like an admin that can register users. To be able to open Lobe Chat on any device on the web under your user (with your own data about chats and settings)

We are considering this seriously. And you will see the change happen 😄

I look forward to it)

@lobehubbot lobehubbot added the Inactive No response in 30 days | 超过 30 天未活跃 label Apr 1, 2024
@arvinxx arvinxx added this to the LobeChat 1.0 milestone Apr 3, 2024
@lobehubbot
Copy link
Member

@dbnewman

This issue is closed, If you have any questions, you can comment and reply.
此问题已经关闭。如果您有任何问题,可以留言并回复。

@lobehubbot
Copy link
Member

🎉 This issue has been resolved in version 0.154.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🌠 Feature Request New feature or request | 特性与建议 Inactive No response in 30 days | 超过 30 天未活跃 released
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants