Let us remove the Forgot Password button on login screen

[Jooki 3]

at our own risc, of course.

It has a serious vulnerability, it can be easily used maliciously, say that the random russian/chinese scan down your server and find out that they can access the 8096 port, they get in and they see a series of usernames all passprotected, then they get into forget password and introduce any of said usernames, each creates a file in our servers, a simple script can automate that and if runned indefinetly it can easily and quickly flood the hard drive.


There is no chance that I as Sysadmin forget my goddamn passwords anyway...

Edited December 12, 2019 by Jooki

[PenkethBoy 2063]

you can disable users appearing on the login screen - both LAN and WAN - which means that somebody has to know the username before they try and login

 

not the same but close

[Jooki 3]

you can disable users appearing on the login screen - both LAN and WAN - which means that somebody has to know the username before they try and login

 

not the same but close

I know, please understand that I don't want to do that

 

its as simple as someone coming in and introducing "admin", or "administrator" in the user field you see... yes, i can use "hashministrator" or whatever instead but... seems a bit silly doesnt it?

Edited December 12, 2019 by Jooki

[PenkethBoy 2063]

Why not?

 

its more secure than just leaving usernames etc open to script kiddies hammering your server - IIRC the hide users was a measure brought in to help prevent attacks - if you must open your server to the unwashed internet

[Jooki 3]

Why not?

1. I don't need to explain my reasons.

 

 

 

its more secure than just leaving usernames etc open to script kiddies hammering your server 

2. as i said, them kids can still brute force "admin" or "administrator" or just script the alphabet or the dictionary and eventually find "hashministrator" or watnot.

 

 

3. its undeniable that the most and 100% secure way is to just hide the "Forgot password" button.

Edited December 12, 2019 by Jooki

[PenkethBoy 2063]

LOL

[Jooki 3]

you've been real useful, thank you for your help.

[jaycedk 381]

You could try custom css.

 

https://emby.media/community/index.php?/topic/62730-custom-login-screen-fixed/page-2?hl=%2Bhide+%2Bforgot+%2Bpassword&do=findComment&comment=736784

 

But that will only work on the web client.

Edited December 13, 2019 by jaycedk

[chef 3745]

here is a mutation observer global function you add to the scripts folder in the webapp:

(function(win) {
    'use strict';

    var listeners = [],
        doc = win.document,
        MutationObserver = win.MutationObserver || win.WebKitMutationObserver,
        observer;



    function ready(selector, fn) {
        // Store the selector and callback to be monitored
        listeners.push({
            selector: selector,
            fn: fn
        });
        if (!observer) {
            // Watch for changes in the document
            observer = new MutationObserver(function(mutations) {

                check()
            });
            observer.observe(doc.documentElement, {
                childList: true,
                subtree: true,
                attributes: true,
                attributeOldValue: true,
            });
        }
        // Check if the element is currently in the DOM
        check();
    }



    function check() {
        // Check the DOM for elements matching a stored selector
        for (var i = 0, len = listeners.length, listener, elements; i < len; i++) {
            listener = listeners[i];
            // Query for elements matching the specified selector
            elements = doc.querySelectorAll(listener.selector);
            for (var j = 0, jLen = elements.length, element; j < jLen; j++) {
                element = elements[j];

                // Make sure the callback isn't invoked with the 
                // same element more than once
                if (!element.ready) {
                    element.ready = true;
                    // Invoke the callback with the element
                    listener.fn.call(element, element);
                }
            }
        }
    }

    // Expose `ready`
    win.ready = ready;

})(this);

add the Script to the DOM by adding reference to the mutation script right under apploader.js:

<script src="scripts/mutation.js"></script>

in the index.html create <script> tags right before the </body> tag and add this code:

<script>
 ready('.cardScalable[data-type="ForgotPassword"]', (element) => {
                    element.parentNode.removeChild(element);
                })
</script>

Now when ever that forgot pass word button is created in the web app, it is then removed.

 

This code needs testing, but you get the idea.

Edited December 13, 2019 by chef

[dcol 165]

I would also like to see this as it is a security risk. Also have option to remove manual login in the sign in page. Only the admin should have full control over the users login page.

The above script would only work until you applied an update. Should be an admin user setting option.

[crusher11 851]

I'd also like to see this option, but in my case because I don't use Emby Connect so it doesn't actually do anything except confuse users.