Add user name to login page


#1

I use a password manager for all passwords, and it seems mighty confused by the pi-hole login page.

I managed to finally configure the password manager to only enter the password, but not having a user name is very different from any other login page out there.

My suggestion/feature request is to add a user name to the page. We don’t even need to create a whole lot of authentication logic to handle the user name – the server code could simply ignore the user, or expect a hard-coded name of “admin”.

Of course, it would be preferable for the owner to be able to override the admin user name, but looking at how routers usually works, the hard-coded “admin” seems to be the norm.

As for coding, I have already customized my own copy, but didn’t want to submit a Pull Request before knowing if there’s consensus that this is a Good Idea

Screenshot of my local customization:


#2

We have just discussed that in the background and don’t like the idea very much.

  1. It seems to be an issue of the particular password manager you are using - e.g. all modern browsers will store the password without any problems. We don’t see the need for Pi-hole to add a workaround. Instead, if you submit an issue report to your password manager, others will be able to benefit from the improvement there as well.
  2. If we add a user name field, it will not take long until users request a multi-user interface with different users having permissions to do different things and that will quickly lead to a whole bunch of additional work, where we see no needs at all.

Having said all that, I moved your request to the Feature Requests section, so users can vote. We are an fully Open Source project and alongside accepting pull requests which will all be reviewed and discussed, we offer the opportunity to have users vote for requests and if enough votes accumulate (e.g. long-term statistics) we will look into implementing this.

A possible compromise: would a hidden username field (with a value that is ignored by Pi-hole altogether) satisfy the needs of your password manager?


#3

Didn’t realize I’d added the topic in the wrong sections. Sorry about that and thanks for moving it.

As I said, I’ve found a local workaround, but my suggestion is based on the fact that a login page with only a password is somewhat unorthodox, so I thought I’d gauge the interest for adding a user name.

I completely get your concerns that this is the thin end of a wedge and could prompt feature requests in the areas of changing the user name and adding a fully-fledged role management system, which is would complicate the tool unnecessarily. I alluded that in my original feature request.

However, I think that is a bit of a false fear, as if people truly have a need for multi-user access, they’d request that regardless, and it is completely your prerogative to decline such requests. My suggestion is to just hard-code the authentication logic to expect “admin” and clearly document it as such and that it won’t be changed.

I don’t think having it as a toggleable option is a good idea. It will just add complexity and increase the risk of regressions. If you give me the option of not having a user name or a toggleable feature, I’d vote for the latter.


#4

This is not true. You can find similar protection measures everywhere where multi-user authentication is unnecessary (like most ISP routers, Intranet webpages, etc.). The fact that some users require a username is merely due to the fact that HTTP auth has to give a username/password combo by definition.


#5

I see the issue, but I’m able to create a long pass and store it within LastPass for entry. I share @DL6ER concern that adding in a username would set us on a course to including multiuser authentication. We do want to be security conscious and I applaud the approach to a good password management solution but I don’t know if hard coding in a username would lead to other issues.

Which password manager do you use, if I may ask?


#6

Bump! I use iOS built in password manager. Even adding a field for the username that isn’t used by pihole would be helpful.

ETA: Just donated $25 if that helps incentivize :slight_smile:


#7

As an iOS user myself, I’d actually be a big fan of this, too.


#8

How about a disabled user name field, prefilled with something like pihole? Would this work with your password manager?


#9

I would think so…


#10

@dovecode I’m looking at implementing this for Pi-hole v4.0. However, as you have seen in this conversation, the user field would have to be set to some constant value and then disabled. Does you password manager accept a disabled user field?


#11

I’ve had it work on other sites with just a password, so I think so.


#12

Having a disabled user name wouldn’t make a difference to me, as the default setup is to assume the login form has a user name and password that the password manager can autotype in. As I’ve stated before, I’ve managed to reconfigure the password manager to let it know that on this particular site, there’s only a password, so I don’t really care either way. My suggestion was based on the fact that I find the password-only approach unorthodox. Even my router, which only understands a single user, prompts for a username and password…