Hello, we are new to Vikunja and we are considering to migrate from Trello.
We would like to understand if is possible to protect the api and the ui with the nginx auth_basic module.
Basically, when there is auth_basic enabled, you can type user/pass manually or use the link in a way like: https:// user : pass @ domain
So we are able to reach frontend and api, however the frontent, for how looks right now, seems to not understand the
https:// user : pass @ domain syntax (window.API_URL in index.html)
Can you suggest if there is a way to achieve this?
Hey there, great to have you!
Basic auth won’t work with Vikunja because the credentials are sent via the
Authorization header which Vikunja itself uses to authenticate the api requests.
As I see it you have a few options:
- Use something like authelia or cloudflare access (they are cookie based) to put an authentication wall between Vikunja and your users.
- Use a VPN and make Vikunja only available from inside that VPN network
- Don’t put Vikunja behind another layer of authentication. Vikunja itself has authentication and you can’t do anything without being authenticated. If you disable registration you can fully control who can access your instance.
I didn’t mean to replace
auth_basic, I just mean to add another layer of security by giving users link like https://USER:PASS@my.vikunja.instance.com instead of https://my.vikunja.instance.com but after that they must authenticate with their vikunja password.
That means that every scan/bruteforce/pentest from the external will be blocked by the auth_basic in the first place.
For the points you pointed out:
We don’t want to rely on external companies or thirdy party software.
We don’t want to install vpn software on employee computers
Yes, without authentication you can’t do anything but atm we would like to protect from possible 0day, since we are putting very sensible informations on vikunja
So, as stated, unfortunately putting USER/PASS into window.API_URL does not work, but support this as optional would make Vikunja more strong
I understood that - the problem is browsers send the basic auth header via the
Authorization header Vikunja uses as well. There’s no way around that so Vikunja can’t really support it.