Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEAT] Bypass password authentication for API calls #190

Closed
1 task done
helgehatt opened this issue Jan 15, 2025 · 5 comments
Closed
1 task done

[FEAT] Bypass password authentication for API calls #190

helgehatt opened this issue Jan 15, 2025 · 5 comments
Labels
enhancement New feature or request

Comments

@helgehatt
Copy link

Is this a new feature request?

  • I have searched the existing issues

Wanted change

I have a server running on https://3000.example.tld and a client running on https://4000.example.tld
When I navigate to https://3000.example.tld I am redirected to https://3000.example.tld/login with

Welcome to code-server
Please log in below. Password was set from $PASSWORD.

and after inputting password I can navigate to https://3000.example.tld/api/endpoint to get a valid JSON response.

However, when the client running on https://4000.example.tld tries to request a resource on the server, I simply get 401, because the client has obviously not "logged in" to the server. How is the correct way to solve this?

Reason for change

The code-server is exposed to the internet, so I can't simply remove the password authentication. However, the client and server have their own authentication mechanisms, so it wouldn't be necessary with password authentication on the proxy domains.

Proposed code change

No response
@helgehatt helgehatt added the enhancement New feature or request label Jan 15, 2025
@github-actions GitHub Actions
Copy link

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@LinuxServer-CI
Copy link
Collaborator

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@johnykes
Copy link

johnykes commented Mar 8, 2025

Also interested on this topic.
I want a easy way to authenticated, get the cookie, and also start the VSCODE application automatically, because right now, even if I have the cookies, if I do a post request to a VSCODE extension for example, the vscode is not even running.

@j0nnymoe
Copy link
Member

j0nnymoe commented Mar 8, 2025

Sounds like something that should be requested to the upstream project, we just package what's released.

@LinuxServer-CI LinuxServer-CI moved this from Issues to Done in Issue & PR Tracker Mar 19, 2025
@helgehatt
Copy link
Author

For anyone else coming here, the solution is to send requests from the client with credentials. That way the code-server-session cookie is sent with the request and the client can bypass the server's password authentication.

Specifically in my case, I added

axios.defaults.withCredentials = true

client-side, and

app.enableCors({
  origin: process.env.NX_PUBLIC_CLIENT_URL,
  credentials: true,
});

server-side.

As j0nnymoe mentioned, this is related to the upstream project, and there are several discussions there regarding this.
E.g. coder/code-server#3240

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Issue & PR Tracker
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@j0nnymoe @helgehatt @LinuxServer-CI @johnykes