ComfyUI icon indicating copy to clipboard operation
ComfyUI copied to clipboard

Published 20 hours ago verified publisher icon comfyanonymous

[Feature Request] Add authentication with username and password arguments

Open sirisian opened this issue 2 years ago • 23 comments

Unless I'm missing something when using listen and a simple port forward there's no authentication. I'd feel more confident using that feature and leaving it running if there was a username and password argument available.

sirisian avatar Jul 27 '23 00:07 sirisian

would like to second this, I'd like to leave on occasion a capable PC exposed with this running, to access it from somewhere else for brainstorming with someone/a group of people. wouldn't dare do this without any protection

Lesani avatar Aug 01 '23 08:08 Lesani

@Lesani Don't quote, me as I don't know Python, but something like the following should work for server.py:

 server.py | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/server.py b/server.py
index f61b11a..7110a14 100644
--- a/server.py
+++ b/server.py
@@ -26,6 +26,7 @@ from comfy.cli_args import args
 import comfy.utils
 import comfy.model_management
 
+authorized_ips = set()
 
 class BinaryEventTypes:
     PREVIEW_IMAGE = 1
@@ -61,6 +62,14 @@ def create_cors_middleware(allowed_origin: str):
 
     return cors_middleware
 
+async def check_ip_middleware(app, handler):
+    async def middleware(request):
+        if request.path != '/' and request.remote not in authorized_ips:
+            return web.Response(text="401 Unauthorized", status=401)
+        response = await handler(request)
+        return response
+    return middleware
+
 class PromptServer():
     def __init__(self, loop):
         PromptServer.instance = self
@@ -72,7 +81,7 @@ class PromptServer():
         self.messages = asyncio.Queue()
         self.number = 0
 
-        middlewares = [cache_control]
+        middlewares = [cache_control, check_ip_middleware]
         if args.enable_cors_header:
             middlewares.append(create_cors_middleware(args.enable_cors_header))
 
@@ -114,7 +123,17 @@ class PromptServer():
 
         @routes.get("/")
         async def get_root(request):
-            return web.FileResponse(os.path.join(self.web_root, "index.html"))
+            key = request.query.get('key')
+
+            if key and key == 'password':
+                # If the key is present and matches 'password', add the IP to the authorized_ips set.
+                authorized_ips.add(request.remote)
+
+                # Return a success message (optional).
+                return web.FileResponse(os.path.join(self.web_root, "index.html"))
+            else:
+                # If the key is missing or incorrect, return a 401 Unauthorized response.
+                return web.Response(text="401 Unauthorized", status=401)
 
         @routes.get("/embeddings")
         def get_embeddings(self):

That has a hardcoded 'password' you'd change to anything. Then when you want to connect go to <ip>:<port>?key=<password> and your IP will be added to the whitelist. The middleware naively checks that your IP is in the list and if not returns 401.

Someone else would need to write a more solid solution.

sirisian avatar Aug 02 '23 04:08 sirisian

I'd say this is out of scope for ComfyUI IMO. Just run comfy on a private network and access via SSH port-forwarding , or connect via Tailscale or Wireguard, or put it behind a reverse proxy with HTTP basic auth, or hard-code some IP addresses like shown above, or... there's plenty of ways you can already do this without pulling the dev off of more important tasks.

bavellone avatar Aug 03 '23 07:08 bavellone

I'd say this is out of scope for ComfyUI IMO. Just run comfy on a private network and access via SSH port-forwarding , or connect via Tailscale or Wireguard, or put it behind a reverse proxy with HTTP basic auth, or hard-code some IP addresses like shown above, or... there's plenty of ways you can already do this without pulling the dev off of more important tasks.

I agreed.

While it might be possible to implement basic authentication in ComfyUI, it's generally advisable to assume that ComfyUI lacks security as it wasn't designed with security in mind. Following his suggestion and using methods like SSH tunneling would be more desirable.

I believe that implementing lightweight authentication could potentially create a misconception that ComfyUI is secure, which might not be the case.

ltdrdata avatar Aug 03 '23 08:08 ltdrdata

The best way, IMHO, is to bind ComfyUI to a local address and run a reverse-proxy with basic authentication in front.

I have implemented this with Caddy server in my container at https://github.com/ai-dock/comfyui if you need any inspiration.

Naturally, you'd want to ensure credentials are passed to the proxy over HTTPS.

robballantyne avatar Oct 13 '23 09:10 robballantyne

Honestly, I think a secure connection should be made by default, even if using a self signed certificate, with basic login. Currently, when I look at different projects that try to utilize an api connection or remote connection, a lot of user's are unaware that security is off by default, you can see this by going to different tools and see in their code they connect to "ws://" and "http://", going to shodan and being able to connect directly into other's instances. Some tried being creative by using a different port number, but it's there in plain site, a non authenitcated http connection, because most don't understand what is and isn't a secure connection. Laymen would assume, any browser interface app would have some level of security by default, 24 years into the new century. https://www.shodan.io/search?query=comfyui

Gerschel avatar Feb 03 '24 00:02 Gerschel

I did a little project, did a little write-up. I understand the issue of granting encrypted communication by default, I hit a road block when it comes to self-signed certificates and device support / central authority, etc.

Nonetheless I feel it's worth sharing what I made and my description of how it works. I know I can work around the self-signed ceertificate issue by singing it with a self created CA certificate, then adding that reference to the device, so it can verify it, but that also brings the issue of teaching others how to execute that script (if created), then transferring it to their device of choice.

I think the process can be mostly automated, for the most part, but to be device agnostic, there will need to be some manual interaction from the user.

Here's the write-up I did that covers the project.

https://github.com/comfyanonymous/ComfyUI/discussions/918?fbclid=IwAR0K2UErO4lVZuJ10vabpPj2935sanXfn7mKOj_8YdR4rQsFPghyYJwoZlA#discussioncomment-8374760

Gerschel avatar Feb 05 '24 20:02 Gerschel

https://github.com/liusida/ComfyUI-Login

screenshot

I've made this into a custom node and can be installed easily (git clone into the custom_nodes folder). It works -- at least, I don't see an easy way to access the system remotely without a password. However, nothing can be guaranteed.

This custom node serves as a proof-of-concept to explore the implementation of basic login functionality for ComfyUI.

In the future, if proven useful, this feature could be directly integrated into either ComfyUI or ComfyUI-Manager.

liusida avatar Apr 03 '24 06:04 liusida

I thought about it for a while, and now I think it'll be easier just keep it as a "custom node". So I've submitted it to ComfyUI-Manager. Search for "login" and you'll find it in "Install Custom Nodes" dialog.

liusida avatar Apr 14 '24 15:04 liusida

@liusida does that node also protect when using the rest-api + ws (cross-origin) ?

IARI avatar Apr 22 '24 07:04 IARI

@liusida does that node also protect when using the rest-api + ws (cross-origin) ?

yes, it does.

for rest-api, just form an additional token argument in the url. Details are here: https://github.com/liusida/ComfyUI-Login#use-rest-api-calls

liusida avatar Apr 22 '24 08:04 liusida