Hello!
I need to host a private Flatpak remote with restricted access by using Basic Auth (login/password). Is it possible to make Flatpak client add Authorization HTTP header to its requests?
I tried to modify added remote URL by adding Basic Auth credentials (https://user:password@remoteUrl.com) but (1) it doesn’t work (they were ignored) (2) it’s unsafe because every user can see credentials by calling remotes command.
Thanks in advance.
Authentication for an entire remote is, AFAIK, not supported or in development.
That being said:
Since Flathub is working on support for app purchases, they have worked on authentication for individual apps. And AFAIK the technical side mostly is done in Flatpak.
Though I’m not fully sure how you would go and use this for your own purpose, but that would seem to be the direction to look into.
BTW about Basic Auth: I tried to add credentials to a repo URL and it works (Authorization HTTP header is appeared).
flatpak remote-modify --url https://username:password@nightly.gnome.org/repo/ gnome
However these credentials can be seen while doing flatpak remotes so it is very simple but not secure solution.
I’ve found the entity named Authenticator (sample is here). You can add it as an flatpak remote-add cmd argument and authenticator would handle everything related to authentication. I guess I can make something good from it (documentation and code are really hard to understand though).
