[GH-ISSUE #132] Web UI broken with topic that require auth #110

New issue

Closed

opened 2026-05-07 00:20:06 +02:00 by BreizhHardware · 6 comments

BreizhHardware commented 2026-05-07 00:20:06 +02:00

Owner

Copy link

Originally created by @arminus on GitHub (Feb 6, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/132

Testing the WebUI at tho point - not quite sure I've set up everything correctly, here's my ACL:

❯ ./ntfy access
user arminus (admin)
- read-write access to all topics (admin role)
user * (anonymous)
- no access to topic mysecrets
- read-write access to all (other) topics (server config)

http://pi4:8085/mysecrets gives me this:

Recent notifications (cached for 12h): 
Invalid Date
undefined

I pushed something to the topic before I figured out I had to explicitly do a ./ntfy access everyone mysecrets deny for that topic.

Next: Wouldn't t be desirable to trigger a BasicAuth dialog for a deny topic?
Next: http://arminus:password@pi4:8085/mysecrets also didn't give me the topic contents?

Am I missing something here?

Originally created by @arminus on GitHub (Feb 6, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/132 Testing the WebUI at tho point - not quite sure I've set up everything correctly, here's my ACL: ``` ❯ ./ntfy access user arminus (admin) - read-write access to all topics (admin role) user * (anonymous) - no access to topic mysecrets - read-write access to all (other) topics (server config) ``` http://pi4:8085/mysecrets gives me this: ``` Recent notifications (cached for 12h): Invalid Date undefined ``` I pushed something to the topic before I figured out I had to explicitly do a `./ntfy access everyone mysecrets deny` for that topic. Next: Wouldn't t be desirable to trigger a BasicAuth dialog for a deny topic? Next: http://arminus:password@pi4:8085/mysecrets also didn't give me the topic contents? Am I missing something here?

BreizhHardware 2026-05-07 00:20:06 +02:00

• closed this issue
• added the
  🪲 bug
  server
  labels

BreizhHardware commented 2026-05-07 00:20:06 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 6, 2022):

The web UI is intentionally broken and does not work with auth at all. I want to make a proper web UI (#111) and didn't want to invest in the old one at all for this.

I am on the road right now. I can look at the particular issue I'm more detail, and I'll answer your questions later.

Thank you very much for reporting this!!!

<!-- gh-comment-id:1030864407 --> @binwiederhier commented on GitHub (Feb 6, 2022): The web UI is intentionally broken and does not work with auth at all. I want to make a proper web UI (#111) and didn't want to invest in the old one at all for this. I am on the road right now. I can look at the particular issue I'm more detail, and I'll answer your questions later. Thank you very much for reporting this!!!

BreizhHardware commented 2026-05-07 00:20:07 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 6, 2022):

One more note: you may want to set auth-default-access = deny-all if you want to only have one admin user.

<!-- gh-comment-id:1030865436 --> @binwiederhier commented on GitHub (Feb 6, 2022): One more note: you may want to set `auth-default-access = deny-all` if you want to only have one admin user.

BreizhHardware commented 2026-05-07 00:20:07 +02:00

Author

Owner

Copy link

@arminus commented on GitHub (Feb 6, 2022):

I am on the road right now.

hey, it's Sunday, don't sweat it!

<!-- gh-comment-id:1030871280 --> @arminus commented on GitHub (Feb 6, 2022): > I am on the road right now. hey, it's Sunday, don't sweat it!

BreizhHardware commented 2026-05-07 00:20:08 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 7, 2022):

@arminus

not quite sure I've set up everything correctly, here's my ACL:

If you're trying to lock down the ntfy instance to "only I can use it", then you have not set it up correctly. The phrase - read-write access to all (other) topics (server config) implies that you have not set auth-default-access = deny-all. There's an example here that shows how to set up a private instance: https://ntfy.sh/docs/config/#example-private-instance

http://pi4:8085/mysecrets gives me this: ...

As I said above, the Web UI is broken and is not expected to work. I will eventually work on a new web UI, and I didn't want to put in effort to make the old one work (though it'd likely not be all that hard). My apologies for that. I renamed the ticket to indicate that the web UI is broken.

Next: Wouldn't t be desirable to trigger a BasicAuth dialog for a deny topic?

I think the browser basic auth dialog is not great, because it doesn't allow you to login. I'm kinda angry with browsers that they don't make a standard login flow for basic auth ... I will build something proper with the new web UI. Again, sorry about breaking this.

Next: http://arminus:password@pi4:8085/mysecrets also didn't give me the topic contents?

Yeah the topic route (/mysecrets) is not expecting auth at all. It just serves the site and that's that. It's broken :-/

<!-- gh-comment-id:1030960054 --> @binwiederhier commented on GitHub (Feb 7, 2022): @arminus > not quite sure I've set up everything correctly, here's my ACL: If you're trying to lock down the ntfy instance to "only I can use it", then you have not set it up correctly. The phrase `- read-write access to all (other) topics (server config)` implies that you have not set `auth-default-access = deny-all`. There's an example here that shows how to set up a private instance: https://ntfy.sh/docs/config/#example-private-instance > http://pi4:8085/mysecrets gives me this: ... As I said above, the Web UI is broken and is not expected to work. I will eventually work on a new web UI, and I didn't want to put in effort to make the old one work (though it'd likely not be all that hard). My apologies for that. I renamed the ticket to indicate that the web UI is broken. > Next: Wouldn't t be desirable to trigger a BasicAuth dialog for a deny topic? I think the browser basic auth dialog is not great, because it doesn't allow you to login. I'm kinda angry with browsers that they don't make a standard login flow for basic auth ... I will build something proper with the new web UI. Again, sorry about breaking this. > Next: http://arminus:password@pi4:8085/mysecrets also didn't give me the topic contents? Yeah the topic route (`/mysecrets`) is not expecting auth at all. It just serves the site and that's that. It's broken :-/

BreizhHardware commented 2026-05-07 00:20:08 +02:00

Author

Owner

Copy link

@arminus commented on GitHub (Feb 7, 2022):

If you're trying to lock down the ntfy instance to "only I can use it"

I actually wanted to test both a secured and an unsecured topic on the same instance. I understand the trade off in regards to #111 - wish I could help, but my WebDev skills are still too much 2015 like and I just don't find the time to deep dive into modern frameworks to be able to start something from scratch :-/

<!-- gh-comment-id:1031156324 --> @arminus commented on GitHub (Feb 7, 2022): > If you're trying to lock down the ntfy instance to "only I can use it" I actually wanted to test both a secured and an unsecured topic on the same instance. I understand the trade off in regards to #111 - wish I could help, but my WebDev skills are still too much 2015 like and I just don't find the time to deep dive into modern frameworks to be able to start something from scratch :-/

BreizhHardware commented 2026-05-07 00:20:08 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Mar 11, 2022):

Done as part of #111; will be released in the next release (soon)

<!-- gh-comment-id:1065448519 --> @binwiederhier commented on GitHub (Mar 11, 2022): Done as part of #111; will be released in the next release (soon)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#110

No description provided.