Disable Authentication

[apocaliss92]

Is there the possibility to disable the authentication? I have always found a limitation of npm to not use an authentication system

[Zoey2936]

What is your usecase for this?

[apocaliss92]

Thank you for the super quick response!

I have authentik as SSO for all my services and npm is currently the only one which does not provide any possibility to disable the GUI authentication. There is an hack provided by an user but I could not really figure out how to make it work

For me it would really be enough to just disable it or allow passing basic authentication from the outside

[Zoey2936]

can you give me a link to this patch (or "hack") you mentioned?

Currently, you could just copy the Bearer token out of your browsers developer tools to make it work, but the token will is not valid very long. (1 day:

NPMplus/backend/internal/token.js

Line 22 in 844ab28

data.expiry = data.expiry || '1d';

)

But for things like authentic, I could add an env option to disable authentication, but I'm personally against using SSO, since you will have one password everywhere and since NPMplus is security relevant I don't think that this is a good idea

[apocaliss92]

Is it only required to pass it as Authorization header to each request? I will give it a try, I can generate tokens on authentik

The hack is something similar for npm

I will give it a try, thanks a lot

[Zoey2936]

Yes you only need to send the token (at least I think that this will work), the token can be creating by sending mail+password to the api, see this line as an example: it is an api request adding a host and requesting the token:

NPMplus/rootfs/usr/local/bin/aio.sh

Line 5 in 844ab28

curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"[email protected]","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"

But still not recommended by me, but should work, if authentic can make this api request to get the token and then pass the token with your request

[Zoey2936]

I will convert this to a discussion, if you get it working, please leave a guide here if someone wants to achieve the same, but again not recommended by me. If you have other questions just ask

[apocaliss92]

Thank you very much for your hints, this is more complicate as expected, if one day there will be the possibility to just disable the authentication or implement a "trusted proxies" mechanism, I will be super happy :)
I completely agree with you on security issues, but my case is an home lab setup

Should I create some ticket for this specific request?

[Zoey2936]

no I will just leave this discussions "unanswered" so I will see it and can work on it when I have time

[apocaliss92]

As a side note, basic auth will work as well