Feature Request: support http basic auth in kanboard URL

Question

Feature Request: support http basic auth in kanboard URL

aslmx opened this issue 7 years ago · comments

aslmx commented 7 years ago

Actual behaviour

Try to setup a kanboard connection with

https://http-user:http-password@fqdn.to-kanboard.org/path/to/kanboard

WIth
user: kanboard-username
password: kanboard-user-password

Login will fail. Kandroid will complain that the Kanboard Version used is smaller than 1.0.38. Altough it is 1.0.45.

As there are a lot of HTTP 401s in the apache access.log, i assume that basic auth credentials in the URL are not used / parsed.

Expected behaviour

Kandroid uses the credentials provided in the URL to pass the HTTP BASIC AUTH that our webserver requires. Uses Kanboard credentials to auth against kanboard.

Steps to reproduce

Setup a server with http basic auth on Kanboard path, like

user@host# cat .htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Configuration

Kandroid version: 0.54
Android/Mod version: Different Devices, Samsung S5+ and Huawei P9 lite
Theme (if you use one): none
Device type, name and manufacturer: see device
Kanboard version: 1.0.45 (updated, just for Kandroid ;))

Thomas Andres · Answer 1 · Thu Aug 10 2017 21:05:01 GMT+0800 (China Standard Time)

Hi,
HTTP BASIC AUTH is already used to authenticate against Kanboard.

If I understand your setup correctly, you added a second layer of authentication.
So you have to login to see the Kanboard login page, is that correct?

aslmx · Answer 2 · Fri Aug 11 2017 16:49:53 GMT+0800 (China Standard Time)

Well, i have the normal Kanboard User Authentication via the normal login form.

However, to shield off the Kanboard from the "evil open internet" i added HTTP BASIC Auth for Apache. So whenever someone is accessing our Kanboard, he will first be asked by Apache to authenticate himself against the webserver to be even able to see the Kanboard Login Page. (we use a shared password for this - this is not meant to add bullet proof security, just to keep google and other bots off the server and also block random people browsing)
When this succeeded the user will either still have a valid kanboard session or rather be shown the Kanboard login form to login with his personal account.

Does that answer your question somehow? :)

Natenom · Answer 3 · Thu Oct 19 2017 06:44:52 GMT+0800 (China Standard Time)

+1
I use the same setup as aslmx and would also like to have support for this in Kandroid.

linvinus · Answer 4 · Fri Feb 23 2018 19:36:18 GMT+0800 (China Standard Time)

another possible solution:
disable basic authentication for some secret location for example /kanboard/supersecret/jsonrpc.php
then use rewrite rule to restore correct path /kanboard/jsonrpc.php
use username and API key to login, this will work even for remote auth. users.

linvinus · Answer 5 · Fri Feb 23 2018 20:06:59 GMT+0800 (China Standard Time)

@aslmx you may avoid double layer authentication with following kanboard settings
define('REVERSE_PROXY_AUTH', true);
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
define('REVERSE_PROXY_DEFAULT_ADMIN', 'administrator');
define('REVERSE_PROXY_DEFAULT_DOMAIN', 'somedomain.com');

you also need to configure apache to pass REMOTE_USER environment variable
RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.)$
RewriteRule ^(.)$ - [E=R_U:%1]
RequestHeader set REMOTE_USER %{R_U}e

David · Answer 6 · Sun Jun 09 2019 02:32:26 GMT+0800 (China Standard Time)

+1

I authenticate to PAM with HTTP Basic Auth, i. e. there's already robust and flexible authentication in place. Since Kanboard provides the option to use a reverse proxy for authentication and deactivate its login form as @linvinus mentioned, this concept appears to be supported by the server project which should be reflected in the app.