How complex would it be to have authentication enabled by default?
We were setting up our Pioreactor and checked the default proposed URL and tada! one was already running on our campus.
Without them realising we could have potentially disabled / killed / removed messed up their experiments. I know never use default settings but it was no surprise that this was happening (they also run quite some versions behind).
ah wow that’s a interesting failure condition I never considered…
So, you can change that default url, pioreactor.local: looking for the domain_alias in the configuration (and this requires a restart to take effect). I suggest changing it, so the other group won’t be affected.
More generally, there is an open issue to enable secure authentication (which also would include admin/user privileges). The biggest hurdle is https. We need https to send passwords between clients and the server. However, https on a locally hosted website is complicated. One needs to create a certificate that will be shared between the client and server. This involves the client adding the certificate to their computer / browser, and it’s a very user-unfriendly step.
However, there is insecure authentication available as a plugin: GitHub - Pioreactor/pioreactor-basic-auth-for-ui I say insecure since passwords are sent as base64-encoded, so anyone snooping on the wifi could intercept it. But this provides some level of control over who sees your experiments.
Since this is insecure, I don’t want to enable it by default, since it would give less-tech-savvy people to feeling of security, when it’s infact still not secure.
Thanks for the quick reply! Indeed https might be tricky.
The point is that at the moment by default by as you mentioned the less-tech-savvy people have no authentication at the moment at all with all issues that could arise from that.
We installed the basic auth plugin immediately and a little bit of security is better than no security even though it might be misleading. I am planning to do a network sweep just to see how many other customers you had from our location 