-
-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plans to save bot config to a json file for cross browser support? #591
Comments
while i can see a possibility to export the UI config - it's for sure not going to be done the way you're proposing (by uploading it to one of the bot's api's). The only way i can imagine this to be done somewhat safely is by having a "export UI configuration" button in the UI, which will download the configuration, and have a corresponding "import configuration" which allows you to load this again. |
Thanks for your reply! I'm not sure an import/export button would solve this problem. That would definitely be useful but for the cross-browser/device support it adds an additional step of storing your UI config somewhere safe, but also accessible by all your devices. I think this still could be possible and maintain secure bot access. What I'm thinking is the below. I'm sure there is room for the security to be improved. These are just rough thoughts initially. Config Storage
Probably something like: {
// ...
"webserver" :{
"preconfigured_bots" : [
{
"name" : "bot1",
"url" : "http://bot1:8080",
"username" : "bot1",
// the password would be a salted and encrypted version of the password
"password" : "ii_9DBkIqeqi6Hhbc3_81eDGI6Acv1NcqtiWMaR259"
}
],
"login" : "supersecretlogin",
"password" : "anotherSecretPass"
}
} Bot Management
Security
|
So to summarize, we'd have one place that holds all the credentials (the config) for all other bots, have this "exposed via an endpoint to the UI (you'll have to have the credentials in the browser in the end), and which holds the jwt credentials (or whatever else) to all other bots. So from a security perspective - this is the worst possible scenario if you ask me. Nothing you put in front of this "one place" will make it secure enough to justify such an architecture - not for an open source project we expect people to deploy themselves, where we have no control over the way this endpoint is exposed. You also always have to consider that it's possible to have bugs (either in the code that exposes / protects this - or in libraries responsible for that). So to be honest, i'm not convinced - and if you think carefully, you'll only have to do this setup once - not every day - so it's a lot of hastle, a lot of code to maintain, and a lot of added risk for very little benefit. |
It would be cool to save added bots configs without passwords in frequi. @xmatthias Do you know a workaround for now, how to save and restore the added bots in a different browser? Thanks |
you can always manually copy/paste the data from the local store in the browser. |
Is your feature request related to a problem? Please describe.
Right now if you setup a multi-bot frequi instance you add each bot within the UI, and setup the CORS accordingly. This seems to be stored in
localStorage
. So, if you access your UI from another browser, device, or reset cache all the bots are required to be re setup again.Describe the solution you'd like
Ideally this would be stored in a config.json, or added to the primary UI's config.json possibly under the
api_server
config. This could be an array of bot objects stored in the primary config and loaded when the UI loads. This would additionally require a username / password to access the UI itself since all data would be immediately accessible when the UI loaded.Describe alternatives you've considered
There are no clear alternatives that I've found.
Additional context
I've glanced at the code itself and am curious if it's something that I would be able to handle and if it's something that you see as within the scope of this project.
The text was updated successfully, but these errors were encountered: