Octoprint security settings

i have setup octopi on my raspberry yesterday and i used it over the browse from my windows 10 system.

when i access octoprint over the browser i need a login name and password.

today i bought an android app called PRINTOID (premium version).

i installed the app, put in the IP of the printer and i could access it.
now that´s not what i want. i want that octoprint always asks for a password.

you see i have not put any login infos into the profile:

what i am missing here?

please help. how can i make the connection secure.

why i am asked for a password in the browser but any android device i install PRINTOID on can control the printer without a password?

You login and then you generate a API key and add it to the app
Edit: You should use the Application Keys

image

sorry im a noob i don´t know what you mean.

Blockquote You login and then you generate a API key and add it to the app

i did that but that doesnt explain (at least not for me) why the android app is not asking me for a password.

does that mean the API key acts like a permit?
i find this a bit confusing. i thought the API key is just some identification (like a device ID)?

then why having the options for passwords in the PRINTOID app if that is not used?

i want octoprint always to ask me for a password before someone is able to control the printer.
when i connect to octoprint via chrome or firefox i get the login screen.

with the android app... no login screen. the app immediately lets everyone control the printer.

i thought linux is so secure. but this seems like a very unsecure default behavior.
that´s what i hear from my linux freak friend who always tells me to try linux. :slight_smile:
linux is always written with security in mind is what he constantly tells me. :slight_smile:

The OctoPrint API key is the authentication just like (or equivalent to) a username/password. I'm pretty sure you needed to give the API key to PRINTOID in order for it to work.

In PRINTOID, the Local IP or hostname (LAN) identifies the OctoPrint instance you wish to communicate with and the OctoPrint API key gives permission to access that instance.

It does give everyone that has access to the Android device access to your printer, so now you have to control who has access to the Android device.

1 Like

Blockquote The OctoPrint API key is the authentication just like (or equivalent to) a username/password. I'm pretty sure you needed to give the API key to PRINTOID in order for it to work.

yes i did. but nowhere was explained that this acts like a user/password.
and as the app also asked for a username and password i was confused that it worked without me puting in a username and password. :slight_smile:

thx for the info

i found this info and now i need a username and password when starting the android app.

i still think this should be the default behavior.

it´s only a few lines in the haproxy.cfg and i don´t know why the reason the user (in my case a octopi noob) has to figure this out. there sure is a way to automatically ask the user for a username/password when he setups octopi for the first time.

i have no luck.... :frowning:

now im asked for a username/pass in the android app..... but it won´t be accepted.
no connection (error 200).

this is my haproxy.cfg:

in the green boxes the lines i added.

the PRINTOID app can not access octoprint anmyore.

and my browser on windows looks now like this:

login does not work anymore.

when i remove the lines from the haproxy.cfg it works again like before.

i copy and pasted the comands from the article into the haproxy.cfg.
of course i replaced the username and password in "user myuser insecure-password mypassword"
" with my own username and password.

what i am doing wrong?