krita-ai-diffusion icon indicating copy to clipboard operation
krita-ai-diffusion copied to clipboard

Published 20 hours ago verified publisher icon Acly

Auth for ComfyUI Endpoint?

Open tilllt opened this issue 1 year ago • 9 comments

What types of authentication are currently supported from Krita-ai-diffusion to connect to an Internet exposed comfyUI Endpoint?

We are running Traefik / Authentik / Forward Auth, I could turn on basic http auth, or use a client certificate... But which of those options are supported by the plugin?

tilllt avatar Sep 29 '24 17:09 tilllt

None, you'd have to implement that.

Acly avatar Oct 01 '24 10:10 Acly

I am a total noob in Python but according to ChatGPT, it would be fairly trivial to pass along a client-certificate with the requests, without compromising any other parts of the Software. Just to understand: would you generally be willing to accept contributions in that direction or would that clash with the interests in promoting your hosted comfy services?

tilllt avatar Oct 03 '24 10:10 tilllt

I'm not against contributions in that area. I'd be interested in your use case though.

Keep in mind it has to work with Qt's QNetworkAccessManager. It's probably not complicated as long as it's supported.

Acly avatar Oct 03 '24 17:10 Acly

Our use case is that we are offering media literacy programs for kids and teenagers, giving an introduction to generative AI, one part of it with Krita / Krita-AI-Diffusion ... so we have our ComfyUI Server in the office but teaching both on premise in our facilities and - depending on the schools infrastructure - remotely.

Some easy to install Authentication (i.e. Client Certs) seem like a good idea not to have a completely open Comfy exposed to the internet ... and still easier than to connect everyone to a VPN into our network...

tilllt avatar Oct 03 '24 21:10 tilllt

Would this be an example interesting to the use case? https://doc.qt.io/qt-6/qtwebengine-webenginewidgets-clientcertificate-example.html

tilllt avatar Oct 07 '24 05:10 tilllt

Not sure, it's for WebEngine (integrated web browser), I don't immediately see a way to apply it to general http requests.

These are supported by QNetworkAccessManager:

  • https://doc.qt.io/qt-5/qauthenticator.html
  • https://doc.qt.io/qt-6/qsslpresharedkeyauthenticator.html

Acly avatar Oct 07 '24 07:10 Acly

I use basic auth and pass it along in the URL in the plugin options, like

https://username:[email protected]

I haven't had any major issues using it this way. The username/pw will be shown in the options, so that's something to be aware of.

I also ran into some issues with HTTPS via my local CA and the Linux version of Krita's AppImage sandboxing. Which isn't directly related, but if you use a similar setup (HTTPS from private cert authority + Linux Krita AppImage/Flatpak), you may run into problems with it not trusting your certs despite them being installed properly.

Those were solved by passing the following env vars to krita on launch: (replace the path with wherever your local system stores the certs)

  • SSL_CERT_FILE=/etc/ssl/cert.pem
  • REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem

nub-nub avatar Oct 10 '24 13:10 nub-nub

Thank you so much for this idea, I will try that next week. We are running ComfyUI behind Traefik and Authentik using Let's Encrypt certs so that should work fine...

tilllt avatar Oct 12 '24 19:10 tilllt

I added basic auth to my endpoint as well and it works for some time... then it somehow loses authorization it seems. The plugin throws an error:

2025-03-08 18:43:25,398 ERROR Unhandled exception while processing Job[local=514e238f-3981-4a8c-9519-6bdf3888a90e, remote=<Future finished result='ERROR'>]
Traceback (most recent call last):
  File "/home/rkfg/.var/app/org.kde.krita/data/krita/pykrita/ai_diffusion/comfy_client.py", line 213, in _run
    await self._run_job(job)
  File "/home/rkfg/.var/app/org.kde.krita/data/krita/pykrita/ai_diffusion/comfy_client.py", line 238, in _run_job
    raise e
  File "/home/rkfg/.var/app/org.kde.krita/data/krita/pykrita/ai_diffusion/comfy_client.py", line 232, in _run_job
    result = await self._post("prompt", data)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rkfg/.var/app/org.kde.krita/data/krita/pykrita/ai_diffusion/comfy_client.py", line 197, in _post
    return await self._requests.post(f"{self.url}/{op}", data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ai_diffusion.network.NetworkError: Connection closed

And in the webserver logs I see that the Authorization field is missing when this happens, the server returns 401 as well. This seems to be time-based because for a while (30 minutes or 1 hour?) it works just fine and then stops. I need to go to the plugin settings and manually connect from there, then it works again for some time. I speculate these HTTP Basic Auth credentials are cached and this cache simply expires.

The URL is specified as https://login:[email protected], internally there's Caddy webserver which provides basic auth and forwards requests to the ComfyUI docker container.

rkfg avatar Mar 08 '25 16:03 rkfg