Creates the API layer for Open Notebook Creates a services API gateway for the Streamlit front-end Migrates the SurrealDB SDK to the official one Change all database calls to async New podcast framework supporting multiple speaker configurations Implement the surreal-commands library for async processing Improve docker image and docker-compose configurations
133 lines
No EOL
3.9 KiB
Markdown
133 lines
No EOL
3.9 KiB
Markdown
# Security
|
|
|
|
Open Notebook includes optional password protection for users who need to deploy their instances publicly.
|
|
|
|
## Password Protection
|
|
|
|
### When to Use Password Protection
|
|
|
|
- **Public Hosting**: When deploying on cloud services like PikaPods, DigitalOcean, AWS, etc.
|
|
- **Shared Networks**: When running on networks where others might access your instance
|
|
- **Team Deployments**: When multiple people need controlled access to the same instance
|
|
|
|
### When NOT to Use Password Protection
|
|
|
|
- **Local Development**: When running on your local machine for personal use
|
|
- **Private Networks**: When running on secure, private networks
|
|
- **Single User**: When you're the only person with access to the machine
|
|
|
|
## Setup
|
|
|
|
### 1. Environment Configuration
|
|
|
|
Add the password to your environment configuration:
|
|
|
|
**For regular deployment:**
|
|
```bash
|
|
# In your .env file
|
|
OPEN_NOTEBOOK_PASSWORD=your_secure_password_here
|
|
```
|
|
|
|
**For Docker deployment:**
|
|
```bash
|
|
# In your docker.env file
|
|
OPEN_NOTEBOOK_PASSWORD=your_secure_password_here
|
|
```
|
|
|
|
### 2. Password Requirements
|
|
|
|
- Use a strong, unique password
|
|
- Avoid common passwords or dictionary words
|
|
- Consider using a password manager to generate and store the password
|
|
- The password is case-sensitive
|
|
|
|
### 3. Restart Services
|
|
|
|
After setting the password, restart all services:
|
|
|
|
```bash
|
|
# If using make commands
|
|
make stop-all
|
|
make start-all
|
|
|
|
# If using Docker
|
|
docker compose down
|
|
docker compose --profile multi up
|
|
```
|
|
|
|
## How It Works
|
|
|
|
### Streamlit UI Protection
|
|
|
|
- Users see a login form when accessing the application
|
|
- Password is stored in the browser session
|
|
- Users remain logged in until they close the browser or clear session data
|
|
- No logout button is provided - users can clear browser data to log out
|
|
|
|
### API Protection
|
|
|
|
- All API endpoints require the password in the Authorization header
|
|
- Format: `Authorization: Bearer your_password`
|
|
- Health check endpoint (`/health`) is excluded from authentication
|
|
- API documentation (`/docs`) is excluded from authentication
|
|
|
|
### Example API Usage
|
|
|
|
```bash
|
|
# Without password protection
|
|
curl http://localhost:5055/api/notebooks
|
|
|
|
# With password protection
|
|
curl -H "Authorization: Bearer your_password" http://localhost:5055/api/notebooks
|
|
```
|
|
|
|
## Security Considerations
|
|
|
|
### This is Basic Protection
|
|
|
|
The password protection is designed for basic access control, not enterprise security:
|
|
|
|
- Passwords are transmitted and stored in plain text
|
|
- No user roles or permissions system
|
|
- No session management or timeout
|
|
- No password complexity requirements
|
|
- No protection against brute force attacks
|
|
|
|
### Production Recommendations
|
|
|
|
For production deployments requiring robust security:
|
|
|
|
1. **Use HTTPS**: Always deploy behind HTTPS/TLS
|
|
2. **Reverse Proxy**: Use nginx or similar with additional security headers
|
|
3. **Network Security**: Implement proper firewall rules
|
|
4. **Regular Updates**: Keep Open Notebook and dependencies updated
|
|
5. **Monitoring**: Log access attempts and monitor for suspicious activity
|
|
|
|
## Troubleshooting
|
|
|
|
### Common Issues
|
|
|
|
**401 Unauthorized Errors:**
|
|
- Check that the password is set correctly in your environment
|
|
- Verify the Authorization header format: `Bearer your_password`
|
|
- Restart all services after setting the password
|
|
|
|
**UI Not Showing Login Form:**
|
|
- Ensure the `OPEN_NOTEBOOK_PASSWORD` environment variable is set
|
|
- Check that the Streamlit service restarted properly
|
|
- Clear browser cache and cookies
|
|
|
|
**API Calls Failing:**
|
|
- Verify the password is included in the Authorization header
|
|
- Check that the API service has access to the environment variable
|
|
- Test with a simple curl command first
|
|
|
|
### Getting Help
|
|
|
|
If you encounter issues with password protection:
|
|
|
|
1. Check the application logs for error messages
|
|
2. Verify environment variables are set correctly
|
|
3. Test with a simple password first
|
|
4. Join our [Discord server](https://discord.gg/37XJPXfz2w) for community support
|
|
5. Report bugs on [GitHub Issues](https://github.com/lfnovo/open-notebook/issues) |