Disable GUI Authentication User&Password Popup

f5Qz · January 11, 2018, 3:13pm

Is it possible to disable the GUI Authentication User&Password Popup? I use LastPass, but it doesnt autofill passwords into popups.

A bit annoying to copy paste the password every time when accessing Syncthing. A regular login page would be convenient…

AudriusButkevicius · January 11, 2018, 3:33pm

It’s not advisable, but you can hardcode the username and password into the URL and bookmark that. I think we have a ticket for implementing a proper login page, yet nobody cares enough about this to implement it. If your syncthing is listening localhost only, and you are the only one using the machine, you can probably disable authentication all together.

uok · January 11, 2018, 6:19pm

see https://github.com/syncthing/syncthing/issues/4137

cosas · January 11, 2018, 10:27pm

No issue here with native FireFox password manager. Maybe I miss something

calmh · January 12, 2018, 7:20am

Probably works fine with the browser built-in password managers, but for example 1Password doesn’t like our current system. I’d be happy to see it become a real login page instead.

f5Qz · January 17, 2018, 2:56pm

I’m not such a huge fan of not setting passwords for convenience reasons.

Who knows Syncthing is also vunerable for this kind of DNS rebinding attacks etc.: https://arstechnica.com/information-technology/2018/01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/?comments=1

calmh · January 17, 2018, 3:12pm

We prevented that particular vulnerability a while back.

Ben_Curthoys · January 17, 2018, 3:51pm

Also see also:

f5Qz · January 30, 2018, 4:06pm

How do I hardcode the username & password in the url? I tried:

https://user:pass@ip:port
https://ip:port?username=[user]&password=[pass]
https://ip:port?user=[user]&password=[pass]
https://ip:port?user=[user]&pass=[pass]
https://ip:port?username=[user]&pass=[pass]

AudriusButkevicius · January 30, 2018, 4:10pm

First one should work, unless your browser actually prevents it from working.

f5Qz · January 30, 2018, 4:16pm

I had to url encode my password too, whoops. Now it works fine.

https://codebeautify.org/url-encode-string

FunDeckHermit · November 10, 2021, 6:10pm

I hacked it by combining basic authentication and setting an header in my reverse proxy.

http:/user:password@ip:port can be used to login.

Adding the user:password part can also be done in the reverse proxy (nginx in my case).

My config looks like this and will auto login user syncthing (no password)

# reverse proxy for syncthing
server {
    listen 0.0.0.0:80;

    location / {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header Authorization "Basic c3luY3RoaW5nOg==";

         proxy_pass http://localhost:8383;
    }
}

I don’t want (and need) the prompt as I run my own authentication with Vouch Proxy. It would be nice of Syncthing would allow header (also named proxy) authentication like FileBrowser and Navidrome.