-
-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URL based authentication #3575
Comments
Would this be for the html5 client? |
Yes, that's indeed for the HTML5 client. The problem with the random password in the query string is that my Apache reverse proxy does not correctly forward it. I spawn xpra instances dynamically on different ports. Thus I would need to add dynamically a |
I don't really see how that helps solve the problem then. If it was me, I would look into using a UUID with
If that allows dynamic strings to be used? (assuming that this can also be done safely to prevent directory traversal and such) |
Maybe I'm confused by having tried so many ways of doing it. With ttyd, I use this configuration:
It works perfectly. With xpra, I use:
Then I run: And the HTML5 client connects to But authentication is refused. My understanding is that something related to authentication does not go through the websockets. Because as far as I've traced the requests and rewritings, everything looks OK. But maybe I'm entirely wrong. I've also tried passing EDIT: Apache does not allow dynamic strings in the |
After explaining this, I understood that I had to move my first |
There were other ways of doing this, but this solution turns out to be both simple to implement and quite useful / extensible. The only commit you need is the second one, it contains a new authentication module, you can even just drop this new file into your existing installation as it should be compatible with older xpra server versions. Example usage with debugging enabled and full options: xpra start :20 --no-daemon --bind-tcp=0.0.0.0:10000,auth=capability:property=display,value=FOO --start=xterm --ssl-cert=./ssl Or just:
Since The client can then connect with:
And only with @fpom This should allow you to do what you want - please let me know if that works. I will still have to update the documentation and man page. |
I finally could have query string work, but it will be simpler this way. :) |
As of de46aa3, the URL attributes are correctly forwarded to the server. ie: xpra attach "ws://localhost:10000/foo?hello=1&FOO=BAR" Generates the following
|
I'd need a new authentication method, similar to what exists with ttyd: when started with option
--base-path /random-token
, ttyd's server only accepts requests rooted at path/random-token
. This option allows the distribution of this path to remote clients that can directly connect without further authentication.Could xpra have such a feature? I can easily imagine having
--auth=base:root=/random-token
in the CLI or something similar.The text was updated successfully, but these errors were encountered: