-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow requests to /api/* without authentication #2455
fix: allow requests to /api/* without authentication #2455
Conversation
I assumed the Lines 829 to 830 in b15b5dc
but is this a safe assumption, or should we explicitly only allow |
I think this was on purpose but it was build a while ago what do you think @lilincmu |
there are no docs, so it was a bit frustrating for me trying this out :) - which is why I also linked it into the Issue tracking the feature for anyone else hitting the same problem |
PR to update the docs is always welcome.
…On Wed, Aug 17, 2022 at 9:34 PM Vincent ***@***.***> wrote:
there are no docs, so it was a bit frustrating for me trying this out :) -
which is why I also linked it into the Issue tracking the feature for
anyone else hitting the same problem
—
Reply to this email directly, view it on GitHub
<#2455 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQ3ERDHWVAR24ER47XNMX3VZW4PHANCNFSM563UYS3A>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
I realise that, and I thought to do it in a separate PR once I got to play and understand this PoC a bit better, I went through all the discussion on the feature and I see no mention of requiring both basic auth and api token, but let's wait for @lilincmu advice on this. but thanks for the suggestion @jamengual ! |
The implementation of #997 didn't take WebAuthentication into consideration, since its first draft was created before the PR of WebAuthentication. I can see the name I think it makes sense to bypass the basic auth for @vincentgna Maybe we can let this PR sit for a while and see what the community thinks? If no one responds by next week I can merge it in. |
FYI, moving authentication (SSO) to reverse proxy kind of resolves this issue for our use case (it was a planned to do) |
Problem
If WebAuthentication is enabled, API Endpoints can't be hit without Basic Auth on top of API Secret.
Not sure if this is by design, but I'd assume API Tokens should be decoupled from the WebAuthentication?
Expected
Actual
Work Around:
Related to: