Explanation of the --dev parameter

[cyb3rko]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

I found the hint on the README which adresses the --dev parameter of the dashboard (See HERE), which only says that it is disabling production-ready security features and that it's useful if you are running on docker.
But what exactly does that mean and what does it change in comparison to production mode?

Feature / Enhancement Description

I think it would be a helpful addition if there could be a small description added to the README to explain this parameter, otherwise we don't really know why to use it.

Example Use Case

n/a

Alternatives / Workarounds

n/a

3rd Party References

n/a

[parse-github-assistant]

Thanks for opening this issue!

• 🎉 We are excited about your ideas for improvement!

[cyb3rko]

@mtrezza I think it's enough information, right?
Or should I add empty information fields to make the assistant happy?

[mtrezza]

Yes, thanks for reporting, it's clear what you mean (we will simplify the templates soon). Would you want to create a PR for this?

[cyb3rko]

I would like to but I don't know what the parameter does so I think I can not help here, sry.
That's why I opened this issue.

[mtrezza]

Did you take a look into the code? That would be my first step, I think it should be pretty easy to discover.

[cyb3rko]

I took a look and I found this:

program.option('--dev', 'Enable development mode. This will disable authentication and allow non HTTPS connections. DO NOT ENABLE IN PRODUCTION SERVERS');

This fits to the occurences I found in the code for the keyword dev where it allows non HTTPS connections.
Do you think that's it? Then I could add it to the README?

[mtrezza]

If you follow the dev parameter in code, is insecure http the only effect?

[cyb3rko]

No, there's another point.

The description of the allowed non HTTPS connections in localhost is:
Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext

The other thing is that auth is not necessary if you access the Dashboard via localhost:
Allow no-auth access on localhost only, if they have configured the dashboard to not need auth

That's it

[mtrezza]

Sounds good, do you want to add a paragraph to the README?

[mtrezza]

Closing via #1842

[cyb3rko]

@mtrezza You can remove the bounty, because I don't need it.
I want to make that money available for "real" and laborious contributions in this open source community.
I did not contribute anything here :)

[mtrezza]

@cyb3rko That is very noble of you! Just know that your contribution here is much appreciated, because you picked up the issue, looked into it and engaged others to solve it together - and most importantly, solved it is. A pull request is often a team effort, so feel free to claim the bounty within the next 90 days, otherwise it will automatically go back into the community funds.