Kokoro-FastAPI icon indicating copy to clipboard operation
Kokoro-FastAPI copied to clipboard
Published 3 weeks ago verified publisher icon remsky

Add basic authentication for HTTP

Open wangjia184 opened this issue 9 months ago • 11 comments

To enable it, just specify the HTTP_USERNAME and HTTP_PASSWORD in environment variables

E.g.

docker run -d --restart=always --name kokoro --gpus all --runtime=nvidia \
   -p 8880:8880 \
   -e HTTP_USERNAME=admin \
   -e HTTP_PASSWORD=pwd \
   remsky/kokoro-fastapi-gpu:v0.2.2

wangjia184 avatar Mar 04 '25 06:03 wangjia184

WHY??? This app is all local activity! Please do NOT do this! This app is becoming far too complex as it is.

RBEmerson970 avatar Mar 04 '25 14:03 RBEmerson970

@wangjia184 why not use the api_key param so it is compatible with openai specs and API design in general

fireblade2534 avatar Mar 04 '25 14:03 fireblade2534

@fireblade2534 how to enable api_key for this API? I am not familar with OpenAI's procotol. is it done by Bearer Authentication? How is it enabled in the docker image? some other environment variables?

Thanks

wangjia184 avatar Mar 05 '25 02:03 wangjia184

@RBEmerson970 local activity also needs authentication. So, in a network running 10k+ servers, authentication is a mandotary requirement even for internal API. we dont need HTTPS but authentication is always required.

The reason is from ​compliance requirements (e.g., PCI DSS, NIST 800-53, CIS Controls) which explicitly require authentication for all system interfaces, regardless of network locality.

In short, it is not allowed to deploy un-authenticated API in our network even it is only accessed locally because non-compliant endpoints may fail audits or violate contractual obligations.

So, it is really needed. Basic Auth is better than Bearer Authentication and other approaches like OAuth because it is friendly to web browser. You have the choice not enabling it by default.

wangjia184 avatar Mar 05 '25 02:03 wangjia184

I'd call that in-house, not local. Authentication, etc. becomes a job for your IT staff.

RBEmerson970 avatar Mar 05 '25 02:03 RBEmerson970

DevOps/IT staff certainly can setup firewall to isolate. but... according to the ​compliance requirement, any API can be accessed from another machine must be authenticated. Unless the API is bound to localhost, otherwise it is not allowed. Even it is in K8S group. I know it is way too strict, but financial institutions always go in this way. it is about obligations instead of technology

wangjia184 avatar Mar 05 '25 02:03 wangjia184

@wangjia184 https://platform.openai.com/docs/api-reference/authentication

@RBEmerson970 I think that having the option for authentication is a good idea as long as it can be disabled. Also the implementation in this pr is not that complex.

fireblade2534 avatar Mar 05 '25 13:03 fireblade2534

Option, yes, requirement, no.

IMNSHO the issue heads into commercial vs. private use.

RBEmerson970 avatar Mar 05 '25 14:03 RBEmerson970

Agreed authentication should be optional

fireblade2534 avatar Mar 05 '25 19:03 fireblade2534

@wangjia184 https://platform.openai.com/docs/api-reference/authentication

I see, it is Bearer Authentication, that can be implemented

wangjia184 avatar Mar 06 '25 06:03 wangjia184

+1 for this, if I'm allowed to vote. It only enforces basic auth if username and password are set, so 100% backward-compatible. But also would love to see (optional) Bearer Auth as well.

jcheek avatar Jul 08 '25 15:07 jcheek