Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow the WebUI to connect to an authenticated API #2243

Open
3 tasks done
hazae41 opened this issue Jul 7, 2024 · 8 comments
Open
3 tasks done

Allow the WebUI to connect to an authenticated API #2243

hazae41 opened this issue Jul 7, 2024 · 8 comments
Labels
effort/hours Estimated to take one or several hours exp/intermediate Prior experience is likely helpful kind/enhancement A net-new feature or improvement to an existing feature P3 Low: Not priority right now

Comments

@hazae41
Copy link

hazae41 commented Jul 7, 2024

Checklist

  • My issue is specific & actionable.
  • I am not suggesting a protocol enhancement.
  • I have searched on the issue tracker for my issue.

Description

ipfs/kubo#2389

Is there a way to connect to an authenticated API from the WebUI?

It seems the WebUI only accepts an URL or a Multiaddress without any possibility to customize the Authorization header

Maybe there should be a way to put the authorization into the URL via path or query parameters?

Thanks

@hazae41 hazae41 added the kind/enhancement A net-new feature or improvement to an existing feature label Jul 7, 2024
@hazae41
Copy link
Author

hazae41 commented Jul 8, 2024

I managed to get it to work by putting the secret token in a cookie and by using a Nginx reverse proxy to pass the cookie into an authorization header

server {
    listen       80;

    location / {
        proxy_http_version    1.1;
        proxy_pass            https://ipfs.example.com/;
        proxy_ssl_server_name on;
        proxy_set_header      Authorization      "Bearer $cookie_token";
        proxy_pass_header     Authorization;
        client_max_body_size  100M;
    }
}

Then go to your proxy url /webui and execute the following JavaScript in the web console

document.cookie="token=YOUR_IPFS_TOKEN"

Reload the page and voila

https://github.com/hazae41/safe-ipfs

@lidel lidel transferred this issue from ipfs/kubo Jul 9, 2024
@lidel
Copy link
Member

lidel commented Jul 9, 2024

I think there is an old code that support Basic Auth (#836, #1586), but afaik there is no support for Bearer tokens.

The basic auth credentials are passed in URL form:

image

@hazae41 does Basic Auth work for you (then we can close this), or do you need ability to pass custom Authorization header (then we should turn this into feature request).

@lidel lidel added the need/author-input Needs input from the original author label Jul 9, 2024
@hazae41
Copy link
Author

hazae41 commented Jul 9, 2024

Thanks, I will try

Yet Bearer should be good to add at some point if you have time

@hazae41
Copy link
Author

hazae41 commented Jul 10, 2024

When the WebUI is same-origin, I can successfully go to /webui and enter the user:pass in URL and it works

But when the WebUI is cross-origin, its requests don't pass CORS, because it sends an OPTIONS preflight request without Authorization header, so the API then replies a Forbidden 403 since there is no header, which fails the CORS preflight test

The solution would be to always reply to OPTIONS requests with HTTP 200

I also noticed it can work with Bearer if we enter this JSON into the URL input

{"url":"https://ipfs.example.com","headers":{"authorization":"Bearer YOUR_TOKEN"}}

Copy link
Contributor

Oops, seems like we needed more information for this issue, please comment with more details or this issue will be closed in 7 days.

Copy link
Contributor

This issue was closed because it is missing author input.

@hazae41
Copy link
Author

hazae41 commented Sep 14, 2024

It's still an issue when connecting from a third-party, it's blocked by CORS

The solution would be to always reply to OPTIONS requests with HTTP 200

@lidel lidel reopened this Sep 16, 2024
@lidel lidel added exp/intermediate Prior experience is likely helpful P3 Low: Not priority right now effort/hours Estimated to take one or several hours and removed need/author-input Needs input from the original author kind/stale labels Sep 16, 2024
@vpavlin
Copy link

vpavlin commented Sep 20, 2024

Can't you just set Allow-Origin and Allow-Methods in IPFS config?

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST", "OPTIONS"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["'${IPFS_EXTERNAL_URL}'"]'

Or is the problem that you don't control the node?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/hours Estimated to take one or several hours exp/intermediate Prior experience is likely helpful kind/enhancement A net-new feature or improvement to an existing feature P3 Low: Not priority right now
Projects
None yet
Development

No branches or pull requests

3 participants