Support other login methods

[fdw]

Paperless allows authentication through a proxy server with PAPERLESS_ENABLE_HTTP_REMOTE_USER. It seems that Paperless Mobile cannot deal with that, as it still asks me to enter username and password, but fails to log me in.

Do you think it would be possible to support this, too? I think in general it's a bad idea if the app needs to know my password.

[JigSawFr]

FYI, I'm using HTTP Remote user too, but API needs to be authenticated.

[fdw]

Can you elaborate that, please? What do you mean with "needs to be authenticated"? Should I exclude that from the proxy?

[astubenbord]

Hi, thanks for the request. I'd have to look into how the authentication process works, but I think it should be possible.

I think in general it's a bad idea if the app needs to know my password.

Could you elaborate on that?

[fdw]

I haven't looked at what Paperless offers, but in general, I like how OAuth 2 manages things: The user authenticates only against the server (in a browser/webview or something), and authorizes the app to work on their behalf. The app only gets some kind of token, but never has access to the user's credentials. Therefore, I (as the user) don't have to trust the app with my credentials and can revoke the authorization at any point.

I expect that Paperless doesn't offer this (again, I haven't checked), but I think this is a good idea.

[astubenbord]

Not sure if this is what you mean, but there is currently a PR to add support for SSO paperless-ngx/paperless-ngx#1746

Once I find the time I'll check what would have to be done to implement this in the app. I also agree that OAuth 2 is more user friendly and secure than plain user credentials.
But considering that the app being fully open source, I don't quite understand your point that you'd have to trust the app? In general I would agree if the app is closed-source and there is no way of knowing what happens to your credentials in the background. In this case, however, one could also build the app from source if there were reasonable concerns that the apk uploaded to e.g. google play was built based on a modified code base. Please feel free to let me know what concerns you have, maybe I'm wrong or I just don't understand the issue here really.

Thanks!

[fdw]

Please don't take this the wrong way! I meant it as a general statement in regards to all applications, everywhere, independent of this one :)

I also think OSS apps are more trustworthy than closed ones, and I did not even think about any specific implementation, more as a general comment regarding protocols/service architecture.

Sorry for any confusion!

[astubenbord]

No worries, I was just curious :) I totally agree with you, I also wish more open source projects would support OAuth and SSO.

Anyway, I'll see what I can do, but don't expect this to be implemented quickly because I currently lack the free time to implement and maintain other (more urgent) features.

Cheers

[fdw]

No hurry, this already got more attention than I feared, so thanks for that and everything! 🙂

[JigSawFr]

It depends mainly on what paperless offers. If you use something like Authelia, you need to exclude API endpoints to work with (you have example on Saltbox project). The best thing would be a saml mechanism, an API token or a simple first login that generate a token. But we depend on upstream for these kind of things