-
-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multibot autoloading from backend endpoints #1094
Comments
Well this is technically a duplicate of #591. So before starting to do anything - There is no "main backend" for freqtrade/freqUI - where you can store generic information not tied to a specific bot - each UI can connect to each bot (assuming CORS is configured correctly). So the only solution that jumps my mind at this point is to push auth information for all bots to one bot (or to all bots?) Pushing to all bots is dangerous - and not something i see as acceptable solution. The most likely scenario i can see is the possibility to download a configuration file, which you can then play back. I'd see everything else as a security risk you have to compare to "leave your password file around unencrypted". |
What I had in mind was to leave the back-end implementation solely to the user and create just loding logic in the UI. Probably just a statically served JSON file managed by whichever multiple-bot deployment process the user uses(in my case that is ansible), the reasoning behind this approach was that it would give users a powerful UI management tool, without the need to compromise any of the backend infrastructure, which they could tie to their own logic. The security concerns with that are significant, especially considering most users will probably not even bother to setup SSL and the bot keys would be unencrypted. It would also be quite difficult to setup. Having given it some more thought I've come up with just as powerful solution, without such problems: |
leaving the backend implementation to the user means it'll be effectively a dead piece of code which will be unmaintainable / unsupportable. Every change can break someone's system - as you don't know how/what they're actually using and why it's breaking this case, but not the other. I'm fine with a "export" button (somewhere in settings or so) - which can export settings, (maybe plot configs, ... )- and the configured bots (without credentials!). Where / how that is stored is then up to the user - as it doesn't contain sensitive information (it'll require re-login once the configuration is added) - it'll not expose anything other than the IP/port combinations (but neither the password, nor access tokens). |
Export button with no credentials is pretty much useless, by that point its much easier to just copy the entire pinia store to other devices/users. There is also no way to reasonably automate the process. While I do see the security problems with storing an unencrypted export file, there have been quite a few exploits recently which targeted the browser profile files, export with credentials would not be much of a problem when the entire local storage is taken away instead. My point is that if any of the systems using the exported file were to be compromised, the attackers would most likely ignore a random export.json file(containing the access tokens) somewhere in the file system and instead just take the entire pinia store which contains those details in plain text, technically storing the access tokens on some random cloud service is much safer than storing them in persistent pinia store. Two resonably secure solutions I can think of from here are:
|
Neither of the 2 solutions you've proposed make sense. Implementation, maintenance and setup efforts are too high for what we're trying to solve. Even if we were to support an "UI modules" plugin system - it'd definitely not be allowed to write authentication (most likely also not read - but go through the available api service) - so will not satisfy your needs. I don't really see why the export / import doesn't work. That will cover 90% of the usecases. It may not 100% cover your particular usecase, but there's very few people who try to automate their browser with ansible (or any other tool, for that matter) - so i see this as an edge-usecase. |
Is your feature request related to a problem? Please describe.
I find myself switching devices or clearing browser cache for development quite frequently, which means that the local storage with all my pre-configured bots disappears and i have to add them back one by one manually.
Describe the solution you'd like
A setting which would, on dashboard load, fetch a JSON configuration with all the bot parameters from a backend endpoint. This would allow for an automated way of adding more bots and persistence between devices. An authentication method would also be necessary - bearer token or basic HTTP auth should be sufficient. Also a way to export all the currently configured bots.
Describe alternatives you've considered
A javascript injection which calls a backend endpoint and injects the corresponding bot information to localstorage.
Additional context
I am quite happy to contribute if you agree that the idea is a good fit for the ui.
The text was updated successfully, but these errors were encountered: