immich-go icon indicating copy to clipboard operation
immich-go copied to clipboard
verified publisher icon simulot

support http basic auth

Open dJani97 opened this issue 1 year ago • 3 comments

Hi!

The Immich mobile app now supports sending arbitrary HTTP header values to the server, which allows setting up basic authentication using a reverse proxy: https://github.com/immich-app/immich/pull/6840

Such a server will be unreachable from the outside world without supplying the basic auth headers. Could immich-go also support basic auth?

dJani97 avatar Sep 28 '24 20:09 dJani97

The use of tokens for the authentification to the API is better practice than the use of password.

You may consider following options:

  • configure the proxy to let API calls to pass through
  • bypass the proxy by call the physical IP address of the server
  • use a VPN to access to the server's local IP

simulot avatar Sep 29 '24 08:09 simulot

The use of tokens for the authentification to the API is better practice than the use of password.

How so? Adding basic_auth to a reverse proxy prevents all requests from hitting the server at all, unless authenticated. If there were a pre-authentication security vulnerability in immich (which we cannot know) and you let API calls pass through, then it can be exploited. But adding basic_auth would prevent this.

So token authentication isn't strictly better practice, it entirely depends on your threat model. Someone who'd configure basic_auth on immich probably does so to add additional security to their instance.

Recommending the use of a overlay network is fair advice, but saying that tokens are better than passwords is without merit.

oddlama avatar Oct 08 '24 19:10 oddlama

This is a shared opinion on the internet and I'm certainly not a security expert.

The API key is easy to implement. The immich commits regarding this issue are about JWT. I'd need some help to implement it correctly.

simulot avatar Oct 09 '24 06:10 simulot