Authentication

[Merovius]

We should have some way to do HTTP-authentication. This would enable us to listen on the wifi-interface too, meaning we wouldn't have to be connected via USB. The main question is how to configure credentials.

• TLS is hard to do, because we don't have a publicly available domain name. So the user would have to provide certificates for us (bad UX) or we'd have to rely on self-signed certs (insecure).
• Basic Auth requires the user to set a password - again, bad UX. We could authenticate against /etc/shadow, but without TLS that's a bad idea too.
• I think a somewhat user-friendly way would be a trust-on-first-use U2F auth - the user connects to the device, enrolls a security key and can then - using that key - authenticate as privileged. But not everyone has U2F keys, sadly.
• We could make this configurable via the web-UI itself. The user connects over USB, sets up an authentication mechanism (e.g. a basic password) and enables listening over wifi. However, the usb-only restriction is currently implemented in the service-file, changing that programmatically is icky…

Needs some thinking.

[kdohmann]

Perhaps the idea to get credentials could be combined with the idea of remarkable_pdflets. (see https://github.com/evidlo/remarkable_pdflets)

• Generate a one-time password and generate a PDF showing the password
• The user which has control over the device can read this PDF and then use the HTTP interface.
• The daemon generates another password if
  • Password was used, or
  • PDF was deleted. This could be detected using of inotify.