Feature Request: support http basic auth in kanboard URL

[aslmx]

Actual behaviour

Try to setup a kanboard connection with

https://http-user:http-password@fqdn.to-kanboard.org/path/to/kanboard

WIth
user: kanboard-username
password: kanboard-user-password

Login will fail. Kandroid will complain that the Kanboard Version used is smaller than 1.0.38. Altough it is 1.0.45.

As there are a lot of HTTP 401s in the apache access.log, i assume that basic auth credentials in the URL are not used / parsed.

Expected behaviour

Kandroid uses the credentials provided in the URL to pass the HTTP BASIC AUTH that our webserver requires. Uses Kanboard credentials to auth against kanboard.

Steps to reproduce

Setup a server with http basic auth on Kanboard path, like

user@host# cat .htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Configuration

• Kandroid version: 0.54
• Android/Mod version: Different Devices, Samsung S5+ and Huawei P9 lite
• Theme (if you use one): none
• Device type, name and manufacturer: see device
• Kanboard version: 1.0.45 (updated, just for Kandroid ;))

[andresth]

Hi,
HTTP BASIC AUTH is already used to authenticate against Kanboard.

If I understand your setup correctly, you added a second layer of authentication.
So you have to login to see the Kanboard login page, is that correct?

[aslmx]

Well, i have the normal Kanboard User Authentication via the normal login form.

However, to shield off the Kanboard from the "evil open internet" i added HTTP BASIC Auth for Apache. So whenever someone is accessing our Kanboard, he will first be asked by Apache to authenticate himself against the webserver to be even able to see the Kanboard Login Page. (we use a shared password for this - this is not meant to add bullet proof security, just to keep google and other bots off the server and also block random people browsing)
When this succeeded the user will either still have a valid kanboard session or rather be shown the Kanboard login form to login with his personal account.

Does that answer your question somehow? :)

[Natenom]

+1
I use the same setup as aslmx and would also like to have support for this in Kandroid.

[linvinus]

another possible solution:
disable basic authentication for some secret location for example /kanboard/supersecret/jsonrpc.php
then use rewrite rule to restore correct path /kanboard/jsonrpc.php
use username and API key to login, this will work even for remote auth. users.

[linvinus]

@aslmx you may avoid double layer authentication with following kanboard settings
define('REVERSE_PROXY_AUTH', true);
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
define('REVERSE_PROXY_DEFAULT_ADMIN', 'administrator');
define('REVERSE_PROXY_DEFAULT_DOMAIN', 'somedomain.com');

you also need to configure apache to pass REMOTE_USER environment variable
RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.)$
RewriteRule ^(.)$ - [E=R_U:%1]
RequestHeader set REMOTE_USER %{R_U}e

[pikaro]

+1

I authenticate to PAM with HTTP Basic Auth, i. e. there's already robust and flexible authentication in place. Since Kanboard provides the option to use a reverse proxy for authentication and deactivate its login form as @linvinus mentioned, this concept appears to be supported by the server project which should be reflected in the app.