Login for backend

[saschafoerster]

I just found this nice project searching for a clock to add in an OBS multiview, but this is so much more. I wondered, if there is a protection for the backend, if Onetime is installed on a web server online, for instance behind a domain like time.DOMAIN.TLD.
Or is there a way to use HTTP authentication and hide certain parts of ONTIME behind this?

[Keksstar]

@cpvalente I guess that´s what the Editor Pincode is meant for?

[saschafoerster]

@cpvalente I guess that´s what the Editor Pincode is meant for?

Which is fine in a local network for a certain time, but not really good, when putting this onto a public reachable webserver, which I would like to do.

[cpvalente]

Hi @saschafoerster, thank you for reaching out.

Currently, Ontime does not offer any means of authentication. We would generally recommend that the burden of permission is moved to the network access.

Handling this ontime's side can be tricky considering the app's ambitions towards integrations. With potential for unwelcome tradeoffs

Either way, what level of security would you be looking to achieve?

When this came up in the past, I have suggested that we would only add authentication behind the REST API, meaning the access to the rundown. This would still leave unprotected all other endpoints for OSC, HTTP and WebSockets, which give access to runtime data and control

Perhaps we can compile some requirements and do some experiments?

[je71175]

Have a look into cloudflare

https://www.cloudflare.com/en-gb/lp/ppc/zero-trust-network-access-x/

Allowed you to expose apps (Inc docker containers) to a public url
This YouTube is helpful
https://youtu.be/ZvIdFs3M5ic

Cheers