support http basic auth

[dJani97]

Hi!

The Immich mobile app now supports sending arbitrary HTTP header values to the server, which allows setting up basic authentication using a reverse proxy: immich-app/immich#6840

Such a server will be unreachable from the outside world without supplying the basic auth headers. Could immich-go also support basic auth?

[simulot]

The use of tokens for the authentification to the API is better practice than the use of password.

You may consider following options:

• configure the proxy to let API calls to pass through
• bypass the proxy by call the physical IP address of the server
• use a VPN to access to the server's local IP

[oddlama]

The use of tokens for the authentification to the API is better practice than the use of password.

How so? Adding basic_auth to a reverse proxy prevents all requests from hitting the server at all, unless authenticated. If there were a pre-authentication security vulnerability in immich (which we cannot know) and you let API calls pass through, then it can be exploited. But adding basic_auth would prevent this.

So token authentication isn't strictly better practice, it entirely depends on your threat model. Someone who'd configure basic_auth on immich probably does so to add additional security to their instance.

Recommending the use of a overlay network is fair advice, but saying that tokens are better than passwords is without merit.

[simulot]

This is a shared opinion on the internet and I'm certainly not a security expert.

The API key is easy to implement.
The immich commits regarding this issue are about JWT. I'd need some help to implement it correctly.