-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for private instances #4259
Conversation
This is a modification of PR iv-org#3728. And addresses iv-org#446 Server admins can set the instance to be private. Which means it is only accessible with a registered user account. The endpoints `/api/v1/popular` and `/api/v1/trending` are whitelisted because some clients expect them to be open.
What is the exact difference between "private_instance" and "redirect_login"? |
When an instance is set to private, the administrator can choose whether they want to redirect to the login page. E.g. A user accesses the page |
Thank you for the feedback with the differences. But what's the use case for the parameter "private_instance" here? It returns a blank page. How are the registered users supposed to use the instance if it returns a blank page for the home page? |
Foremost. Sorry, for the failing workflows. That was me being stupid … Regarding your question. Registered users can still access the page via It's more or less: Security through obscurity. People end up on one's instance for whatever reason. But it is not clear from the beginning whether the site is working or not. So they might think, “Oh, it's broken” and go their merry way. I know that this isn't really secure, but it obfuscates the instance at least a little. |
Well for me this functionality shouldn't be in invidious. It's something that you can do on the reverse proxy side. I do understand why the log in functionality is implemented in invidious because you can't do this on the reverse proxy side. But the idea to hide the home page is something so niche that I don't think this should be included into the core of invidious. |
Also Security by obscurity will not help against real threats. The rest of the feature is looking good |
Okay, I removed And linting should work now 😆 I ran: |
The before_all handler isn't called for the error routes. See kemalcr/kemal#663. Is that likely to impact this PR? On those endpoints, Invidious will always be open to those without an account. I'm not sure if that that has any implications. |
No, since non-existing routes are not whitelisted, these requests will always be forwarded to the login page. |
What further changes are expected here? |
From my side, it is good to go. |
The user is being redirected but it seems like the handlers for the various endpoints are still being called in the end. Try increase the log level to trace and query the /search endpoint. You'd see that the user got redirected to the /login page but the handler is still called and the query is still sent to YouTube, parsed, etc. |
Okay, but I assume that is something that needs to be handled in another PR? Since this is an issue not directly related to private instances… |
Agreed. Let’s not creep more features into this and instead release. |
It very much is directly related and not a feature creep. It is a bug of the way private instances are implemented in this PR. This PR redirects to /login for all endpoints when the user is not logged in. But the logic for those routes are still being ran anyways. Not only is this not right for how a redirect should work, this bug:
This is something that needs to be fixed for this PR to be merged |
I'll take a look at this. |
I'm looking for this patch. Is it going to be merged soon? |
This pull request has been automatically marked as stale and will be closed in 30 days because it has not had recent activity and is much likely abandoned or outdated. If you think this pull request is still relevant and applicable, you just have to post a comment and it will be unmarked. |
Had this running I production for months now. |
this comment is still the reason why this PR hasn't been merged yet: #4259 (comment) |
I'm currently short on time. I'll update the PR as soon as possible. |
This pull request has been automatically marked as stale and will be closed in 30 days because it has not had recent activity and is much likely abandoned or outdated. If you think this pull request is still relevant and applicable, you just have to post a comment and it will be unmarked. |
Activity |
We will reopen the PR once #4259 (comment) has been tackled. |
This is a modification of PR #3728. And addresses #446
Server admins can set the instance to be private. Which means it is only accessible with a registered user account.
The endpoints
/api/v1/popular
and/api/v1/trending
are whitelisted because some clients expect them to be open.