starred/ntfy
1
0
Fork 0
mirror of https://github.com/binwiederhier/ntfy.git synced 2026-05-09 08:26:00 +02:00
Code Issues 368 Projects Packages Wiki Activity

[GH-ISSUE #238] Deny WebUI access to anonymous users #190

New issue
Closed
opened 2026-05-07 00:21:14 +02:00 by BreizhHardware · 14 comments
BreizhHardware commented 2026-05-07 00:21:14 +02:00
Owner
Copy link

Originally created by @ryester19 on GitHub (May 5, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/238

While the current ACL implementation allows you to deny subscribing and publishing for anonymous users, there's no way to prevent them from using the WebUI to connect to other servers. For a truly private server, anonymous users should be prevented from using the server at all

I have an idea on how this could be implemented:

  1. Introduce a new ACL permission that controls WebUI access
  2. Introduce a login screen at WebUI load
    • If WebUI access for anonymous users is allowed, the login screen is hidden
    • An added benefit is that you can use this authentication to forego asking users for credentials when adding local subscriptions later on
Originally created by @ryester19 on GitHub (May 5, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/238 While the current ACL implementation allows you to deny subscribing and publishing for anonymous users, there's no way to prevent them from using the WebUI to connect to other servers. For a truly private server, anonymous users should be prevented from using the server at all I have an idea on how this could be implemented: 1. Introduce a new ACL permission that controls WebUI access 2. Introduce a login screen at WebUI load - If WebUI access for anonymous users is allowed, the login screen is hidden - An added benefit is that you can use this authentication to forego asking users for credentials when adding local subscriptions later on
BreizhHardware 2026-05-07 00:21:14 +02:00
BreizhHardware commented 2026-05-07 00:21:15 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (May 5, 2022):

Thank you very much for creating this ticket. It has been discussed many times on Discord, and it absolutely deserves a ticket.

I explained it many times before, but I'll explain it one last time here, so I can link to it later:

Dumb client: The web app is a dumb client only app. All the logic is implemented in JS in the browser. Having access to the web app gives you no access to the server. As you have correctly noted, the ACLs allow you to deny access to all topics, so having the web app exposed to the internet does not pose a security threat. Your server initially serves the HTML+ JS, but thats about it. In many ways, the web app is identical to the Android app. Having the app and having access to it does not mean having access to the server.

However, there is (as this ticket proves) a UX problem with this approach: people do not understand this paradigm. It is unusual for the web and not desired by selfhosters. People want login screens, even if that's just an illusion. Many people have requested this.

So, i give up. I'm going to implement a login screen. Just so I don't have to have this discussion again. It changes nothing from a security perspective, but it creates a more traditional UX.

And as we all know, UX is king 👑.

<!-- gh-comment-id:1119112490 --> @binwiederhier commented on GitHub (May 5, 2022): Thank you very much for creating this ticket. It has been discussed many times on Discord, and it absolutely deserves a ticket. I explained it many times before, but I'll explain it one last time here, so I can link to it later: *Dumb client*: The web app is a dumb client only app. All the logic is implemented in JS in the browser. Having access to the web app gives you no access to the server. As you have correctly noted, the ACLs allow you to deny access to all topics, so having the web app exposed to the internet does not pose a security threat. Your server initially serves the HTML+ JS, but thats about it. In many ways, the web app is identical to the Android app. Having the app and having access to it does not mean having access to the server. *However*, there is (as this ticket proves) a UX problem with this approach: people do not understand this paradigm. It is unusual for the web and not desired by selfhosters. People want login screens, even if that's just an illusion. Many people have requested this. *So*, i give up. I'm going to implement a login screen. Just so I don't have to have this discussion again. It changes nothing from a security perspective, but it creates a more traditional UX. *And as we all know*, UX is king 👑.
BreizhHardware commented 2026-05-07 00:21:15 +02:00
Author
Owner
Copy link

@ryester19 commented on GitHub (May 6, 2022):

Oh man, I'm sorry. I wasn't aware people were bothering you about this before. I avoid Discord whenever I can, so I didn't know 😓

I can only speak for myself, but even having anonymous users use the web client is still being too open when you intend the server to be "private". Maybe it's a psychological thing, and we've all been accustomed to login screens acting as a roadblock to hold back the outside world. As tiny as it seems, a login screen would still provide a heightened level of access control on a network that is very public

<!-- gh-comment-id:1119160591 --> @ryester19 commented on GitHub (May 6, 2022): Oh man, I'm sorry. I wasn't aware people were bothering you about this before. I avoid Discord whenever I can, so I didn't know :sweat: I can only speak for myself, but even having anonymous users use the web client is still being too open when you intend the server to be "private". Maybe it's a psychological thing, and we've all been accustomed to login screens acting as a roadblock to hold back the outside world. As tiny as it seems, a login screen would still provide a heightened level of access control on a network that is very public
BreizhHardware commented 2026-05-07 00:21:15 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (May 6, 2022):

Hehe, no worries, nobody is bothering me. People are very nice, but (understandably so) very confused.

Maybe it's a psychological thing, and we've all been accustomed to login screens acting as a roadblock

I think it's more "you've been trained" that this way, so you now need it to feel safe. And that's okay. I'll add the screen :-D

heightened level of access control

This is incorrect.

It's gonna be literally showing a screen that was previously hidden (switching display: none to display: block), similar to how I implemented nopaste.net and phil.nopaste.net. Look at the source code of both in your browser. They are the same. Except that for phil.nopaste.net I only show the main UI after a valid password was entered.

If you are in the network already, you can

  • interact with the API directly
  • spin up your own ntfy web app (which then interacts with the API)

So you see, no additional security gain through the login. Only a psychological one.

<!-- gh-comment-id:1119163894 --> @binwiederhier commented on GitHub (May 6, 2022): Hehe, no worries, nobody is bothering me. People are very nice, but (understandably so) very confused. > Maybe it's a psychological thing, and we've all been accustomed to login screens acting as a roadblock I think it's more "you've been trained" that this way, so you now need it to feel safe. And that's okay. I'll add the screen :-D > heightened level of access control This is incorrect. It's gonna be literally showing a screen that was previously hidden (switching `display: none` to `display: block`), similar to how I implemented `nopaste.net` and `phil.nopaste.net`. Look at the source code of both in your browser. They are the same. Except that for `phil.nopaste.net` I only show the main UI after a valid password was entered. If you are in the network already, you can * interact with the API directly * spin up your own ntfy web app (which then interacts with the API) So you see, no additional security gain through the login. Only a psychological one.
BreizhHardware commented 2026-05-07 00:21:15 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (May 6, 2022):

@ryester19 Btw, the Discord is bridged to Matrix too (https://matrix.to/#/#ntfy:matrix.org) if you like that more :-D

<!-- gh-comment-id:1119165247 --> @binwiederhier commented on GitHub (May 6, 2022): @ryester19 Btw, the Discord is bridged to Matrix too (https://matrix.to/#/#ntfy:matrix.org) if you like that more :-D
BreizhHardware commented 2026-05-07 00:21:16 +02:00
Author
Owner
Copy link

@ryester19 commented on GitHub (May 6, 2022):

This is incorrect

If the same resources are loaded whether there's a login prompt or not (as in your nopaste.net examples), then yes I would say it's pretty useless

However, if you're able to make it so that the static resources like 'main.2e44de94.js' are loaded only after successful authentication, then that would make this feature have some kind of purpose

<!-- gh-comment-id:1119178133 --> @ryester19 commented on GitHub (May 6, 2022): > This is incorrect If the same resources are loaded whether there's a login prompt or not (as in your nopaste.net examples), then yes I would say it's pretty useless However, if you're able to make it so that the static resources like 'main.2e44de94.js' are loaded only after successful authentication, then that would make this feature have some kind of purpose
BreizhHardware commented 2026-05-07 00:21:16 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (May 6, 2022):

It's open source, and as I said you can just use the web app on ntfy.sh/app for instance to subscribe to any server. See what I mean?

<!-- gh-comment-id:1119184834 --> @binwiederhier commented on GitHub (May 6, 2022): It's open source, and as I said you can just use the web app on ntfy.sh/app for instance to subscribe to any server. See what I mean?
BreizhHardware commented 2026-05-07 00:21:16 +02:00
Author
Owner
Copy link

@ryester19 commented on GitHub (May 6, 2022):

Sounds to me there would be more practical purpose in just letting server admins disable the WebUI completely.

<!-- gh-comment-id:1119193284 --> @ryester19 commented on GitHub (May 6, 2022): Sounds to me there would be more practical purpose in just letting server admins disable the WebUI completely.
BreizhHardware commented 2026-05-07 00:21:16 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (May 6, 2022):

I think the "illusion" is still worthwhile, even if it's just to avoid this discussion :-D

I was thinking:

web-enabled = true|false
web-login = none|admin|user
<!-- gh-comment-id:1119194108 --> @binwiederhier commented on GitHub (May 6, 2022): I think the "illusion" is still worthwhile, even if it's just to avoid this discussion :-D I was thinking: ``` web-enabled = true|false web-login = none|admin|user ```
BreizhHardware commented 2026-05-07 00:21:17 +02:00
Author
Owner
Copy link

@Curid commented on GitHub (May 12, 2022):

web-enabled = true|false

I'm working on this.

<!-- gh-comment-id:1125219464 --> @Curid commented on GitHub (May 12, 2022): > web-enabled = true|false I'm working on this.
BreizhHardware commented 2026-05-07 00:21:17 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (May 13, 2022):

Re-opening, since this is not entirely implemented. The hard part still has to be done:

web-login = none|admin|user
<!-- gh-comment-id:1126346516 --> @binwiederhier commented on GitHub (May 13, 2022): Re-opening, since this is not entirely implemented. The hard part still has to be done: ``` web-login = none|admin|user ```
BreizhHardware commented 2026-05-07 00:21:17 +02:00
Author
Owner
Copy link

@ntccloud commented on GitHub (Aug 17, 2023):

This problem is solved simply, use a webproxy like nginx for example, then you block / again, and only open the /topics.

<!-- gh-comment-id:1682196441 --> @ntccloud commented on GitHub (Aug 17, 2023): This problem is solved simply, use a webproxy like nginx for example, then you block / again, and only open the /topics.
BreizhHardware commented 2026-05-07 00:21:17 +02:00
Author
Owner
Copy link

@lazee486 commented on GitHub (Sep 28, 2023):

Im going to say incredibly wholesome debate and love your project :) Ive spun up my instance, and as a homelab user with docker and almost no experience, Ive left mine public, I don't mind if anyone uses it,I can see the effort that has gone into making it (not hacked together) so im not too worried about exploits, but I also know that decision was mainly because i didn't want to go through all the acl stuff just to get alerts from my devices....

a simple cosmetic privacy that helps with the people who know less like me will go a long way to making sure your software isn't abused because of my incompetence, and I thank you for working on it :)

<!-- gh-comment-id:1738787000 --> @lazee486 commented on GitHub (Sep 28, 2023): Im going to say incredibly wholesome debate and love your project :) Ive spun up my instance, and as a homelab user with docker and almost no experience, Ive left mine public, I don't mind if anyone uses it,I can see the effort that has gone into making it (not hacked together) so im not too worried about exploits, but I also know that decision was mainly because i didn't want to go through all the acl stuff just to get alerts from my devices.... a simple cosmetic privacy that helps with the people who know less like me will go a long way to making sure your software isn't abused because of my incompetence, and I thank you for working on it :)
BreizhHardware commented 2026-05-07 00:21:17 +02:00
Author
Owner
Copy link

@Mat-DB commented on GitHub (Aug 23, 2024):

It's an older issue but I am thinking to use authelia to put in front of the UI, just the UI. Just to give an other option here to make it "more secure".

To be clear I have authelia running for other things already and I know that it doesn't add anything in security to NTFY.
Just a pease of mind thing I guess.

Thanks to the maintainers btw!! Great project!
I am comparing Gotify and NTFY and I think NTFY is winning.

Edit 1: Authelia in front of ntfy is a nightmare. So I am going to leave it like this! Sorry for the possible spam.

<!-- gh-comment-id:2307846374 --> @Mat-DB commented on GitHub (Aug 23, 2024): It's an older issue but I am thinking to use authelia to put in front of the UI, just the UI. Just to give an other option here to make it "more secure". To be clear I have authelia running for other things already and I know that it doesn't add anything in security to NTFY. Just a pease of mind thing I guess. Thanks to the maintainers btw!! Great project! I am comparing Gotify and NTFY and I think NTFY is winning. Edit 1: Authelia in front of ntfy is a nightmare. So I am going to leave it like this! Sorry for the possible spam.
BreizhHardware commented 2026-05-07 00:21:18 +02:00
Author
Owner
Copy link

@Johnathan-intended commented on GitHub (Oct 17, 2025):

Thank you very much for creating this ticket. It has been discussed many times on Discord, and it absolutely deserves a ticket.

I explained it many times before, but I'll explain it one last time here, so I can link to it later:

Dumb client: The web app is a dumb client only app. All the logic is implemented in JS in the browser. Having access to the web app gives you no access to the server. As you have correctly noted, the ACLs allow you to deny access to all topics, so having the web app exposed to the internet does not pose a security threat. Your server initially serves the HTML+ JS, but thats about it. In many ways, the web app is identical to the Android app. Having the app and having access to it does not mean having access to the server.

However, there is (as this ticket proves) a UX problem with this approach: people do not understand this paradigm. It is unusual for the web and not desired by selfhosters. People want login screens, even if that's just an illusion. Many people have requested this.

So, i give up. I'm going to implement a login screen. Just so I don't have to have this discussion again. It changes nothing from a security perspective, but it creates a more traditional UX.

And as we all know, UX is king 👑.

https://pie-chart-all-white.github.io/q5bY7rYuyE0zFUaRDGVg/

<!-- gh-comment-id:3417406748 --> @Johnathan-intended commented on GitHub (Oct 17, 2025): > Thank you very much for creating this ticket. It has been discussed many times on Discord, and it absolutely deserves a ticket. > > I explained it many times before, but I'll explain it one last time here, so I can link to it later: > > _Dumb client_: The web app is a dumb client only app. All the logic is implemented in JS in the browser. Having access to the web app gives you no access to the server. As you have correctly noted, the ACLs allow you to deny access to all topics, so having the web app exposed to the internet does not pose a security threat. Your server initially serves the HTML+ JS, but thats about it. In many ways, the web app is identical to the Android app. Having the app and having access to it does not mean having access to the server. > > _However_, there is (as this ticket proves) a UX problem with this approach: people do not understand this paradigm. It is unusual for the web and not desired by selfhosters. People want login screens, even if that's just an illusion. Many people have requested this. > > _So_, i give up. I'm going to implement a login screen. Just so I don't have to have this discussion again. It changes nothing from a security perspective, but it creates a more traditional UX. > > _And as we all know_, UX is king 👑. https://pie-chart-all-white.github.io/q5bY7rYuyE0zFUaRDGVg/
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/web/fast-uri-3.1.2
email-verification
attachment-no-http2
attachment-fixes
attachment-s3
config-generator
postgres-replica
dockers-v2
postgres-support
postgres-webpush+user+message
postgres-webpush+user
postgres-webpush
1364-copy-action
crashfix
user-header
scalar-api-docs
cancel-scheduled
update-available
windows-server
303-update-notifications
postgres
admin-ui
require-login
http-clipboard
message-cache-lock
debian-stripe
predefined-users
busy-timeout
template-dir
ipv6
client-ip-header
apns-fix
feat_optional_require_login
security-updates
pg-message-cache
templating-disallow
templating-3
templating-2
message-size-limit+delay-limit
remove-rate-topics
html-emails
cf-priority
acl-underscores
auth-user-header
markdown
img-attach
web-improvements
utf8-headers
matrix-507-reject
http-response-writer
new-homepage-design
e2e
canary
windows
electron
update-messages
webhook-templating
v2.22.0
v2.21.0
v2.20.1
v2.20.0
v2.19.2
v2.19.1
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.14.0
v2.13.0
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.31.0
v1.30.1
v1.29.1
v1.29.0
v1.28.0
v1.27.2
v1.27.1
v1.26.0
v1.25.2
v1.25.1
v1.25.0
v1.24.0
v1.23.0
v1.22.0
v1.21.2
v1.21.1
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.0
v1.14.1
v1.14.0
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.2
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.3
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
ai-generated

   
android-app

   
android-app

   
android-app

   
🪲 bug

   
build

   
build

   
dependencies

   
docs

   
enhancement

   
enhancement

   
🔥 HOT

   
in-progress 🏃

   
ios

   
prio:low

   
prio:low

   
pull-request
Mirrored from GitHub Pull Request

  
question

   
🔒 security

   
server

   
server

   
unified-push

   
web-app

   
website
No labels
ai-generated
android-app
android-app
android-app
🪲 bug
build
build
dependencies
docs
enhancement
enhancement
🔥 HOT
in-progress 🏃
ios
prio:low
prio:low
pull-request
question
🔒 security
server
server
unified-push
web-app
website
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ntfy#190
No description provided.