Open dJani97 opened 1 month ago
simulot
commented
1 month ago The use of tokens for the authentification to the API is better practice than the use of password.
You may consider following options:
oddlama
commented
1 month ago The use of tokens for the authentification to the API is better practice than the use of password.
How so? Adding basic_auth to a reverse proxy prevents all requests from hitting the server at all, unless authenticated. If there were a pre-authentication security vulnerability in immich (which we cannot know) and you let API calls pass through, then it can be exploited. But adding basic_auth would prevent this.
So token authentication isn't strictly better practice, it entirely depends on your threat model. Someone who'd configure basic_auth on immich probably does so to add additional security to their instance.
Recommending the use of a overlay network is fair advice, but saying that tokens are better than passwords is without merit.
simulot
commented
1 month ago This is a shared opinion on the internet and I'm certainly not a security expert.
The API key is easy to implement. The immich commits regarding this issue are about JWT. I'd need some help to implement it correctly.
Hi!
The Immich mobile app now supports sending arbitrary HTTP header values to the server, which allows setting up basic authentication using a reverse proxy: https://github.com/immich-app/immich/pull/6840
Such a server will be unreachable from the outside world without supplying the basic auth headers. Could immich-go also support basic auth?