Authentication
Given that the majority of users will integrate the workspace with an external authentication provider (or deploy on a local machine), the default deployment is configured to not require authentication.
The following sections will help you set up our opt-in authentication mechanism.
⚠️ WARNING
Remember to click Sign out at the bottom of the File menu when you are done working, as your login session won't expire automatically.
Password Authentication
Passed authentication can be easily configured by setting an environment variable when deploying the workspace. Setting your password is as simple as defining an env variable:
WS_AUTH_PASSWORD: Plaintext password for web login.WS_AUTH_PASSWORD_HASHED: Argon2 hash used for web login.
NOTE
All sensitive environment variables are purged before deploying Kloud Workspace, ensuring that your password is absent from future shell sessions.
sh
docker run \
-e WS_AUTH_PASSWORD=super_duper_secret \
ghcr.io/kloudkit/workspace:v0.1.1Creating a Hashed Password
To generate a hashed password, use the ws-cli tool (replacing "super_duper_secret" with your desired password):
sh
$ echo -n super_duper_secret | ws secrets generate login
$argon2id$v=19$m=4096,t=3,p=1$z4DjJlJgI6S7fAdQC35ZQw$Rpu8CLMWedxJaH0eiFCetyoRbg+S8ow/RRyVCZzM6QE💡 TIP
You can generate the password hash from within a running workspace for subsequent executions. Then restart the instance and set the value for WS_AUTH_PASSWORD_HASHED:
sh
echo -n "your_password" | ws secrets generate --workspace --rawThen deploy the workspace:
sh
docker run \
-e WS_AUTH_PASSWORD_HASHED="$argon2id$v=19$m=4096,t=3,p=1$z4DjJlJgI6S7fAdQC35ZQw$Rpu8CLMWedxJaH0eiFCetyoRbg+S8ow/RRyVCZzM6QE" \
ghcr.io/kloudkit/workspace:v0.1.1Rate Limiting
The workspace has a built-in throttling mechanism to rate-limit password authentication attempts to two per minute and an additional twelve per hour.