Adding Basic Authentication to Screenly OSE


Displaying a full screen web page on a Raspberry Pi is a very common use case. You may want to check out FullPageOS, which looks pretty similar to my original hacks but packaged up nicely into an OS image.

Reminder: My fork of Screenly stores the administrative password in plain-text. This could be a problem, depending on your threat model. Make sure the password is unique and not used for anything else. Hashing it would be much better but some authentication is more useful than the default of none. If you are interesting in how to perform secure hashing then I cover this extensively in my book.

If you are having trouble getting this to work with the latest version of Screenly you could try looking at the diff, as it’s quite a small patch. Follow the instructions and make sure that you’re using a recent version of bottle, that supports basic authentication.

I’ve worked on a few digital sign display screens (TVs used to display information) over the years. I used to roll my own with a Raspberry Pi and a bunch of hacks until I discovered the amazing Screenly Open Source Edition which does it much better. However, it has one weakness which is that the admin web interface is completely unauthenticated. This could allow people on the same network to get up to all sorts of mischief. Especially as I prefer to run these on a guest Wi-Fi network so sensitive credentials can’t be recovered from the Pi.

Dashing HD dashboardDashing runs better on the Pi 2 but it still lags a bit

I’ve made a small patch to Screenly that adds some very basic authentication. You can find it in my fork on GitHub. There are clearly some big issues with the simple approach I’ve taken but as long as you understand the weaknesses it should suffice for simple purposes. The credentials are hard-coded into the Python in plain-text so make sure they are unique and not used for anything else. Also you should enable HTTPS, otherwise they will be sent over the wire in the clear. This is better than nothing though!

A better approach would of course be to securely store passwords with a strong one-way hash function (such as bcrypt or PBKDF2) but then tooling is required to set and update them. If you care this much then you should probably upgrade to Screenly’s commercial offering (there’s a free tier).

Disclaimer: I have absolutely no affiliation with Screenly. I just think they’re doing great work.

Archived Comments

Eliott says:
28th July 2015 at 9:23 pm

I’ve noticed this same thing, another thing is that you cannot pass a user/password through when adding an asset… Do you have any ideas on that?

Let’s say I wanted to show my Jira Dashboard… Right now there’s no good way.

James says:
29th July 2015 at 9:59 am

I think you should be able to pass a username and password in the URL if your dashboard supports basic authentication.

Jo says:
23rd March 2016 at 5:29 pm

When I replaced the file I am unable to connect to the GUI via my browser any more – not sure what I’ve done wrong!

James says:
23rd March 2016 at 10:21 pm

With the new server file you won’t be able to connect to the GUI without a username and password. That’s the point. Your browser should prompt you to enter these. You probably want to change the credentials by editing the file.

This blog is treeware! If you found it useful then please plant a tree.
Donate a treeDonate a tree🌳🌳