[GH-ISSUE #522] Support Authentication via Token #302

New Issue

zhus · 2026-04-08T16:51:51+03:00

zhus commented

2026-04-08 16:51:51 +03:00

Originally created by @sigoden on GitHub (Jan 2, 2025).
Original GitHub issue: https://github.com/sigoden/dufs/issues/522

Design Proposal

Allow the token to be included in either the query string (?token=<TOKEN>) or the request header (X-TOKEN: <TOKEN>).
The token will take precedence over the standard authorization header. If the token authentication fails, the system will then fall back to using the authorization header for authentication.
Each user will be assigned a unique token. The token will be refreshed every time the dufs service is restarted.

Why need this features

Some clients are unable to download protected resources due to their limitations in handling Basic/Digest authentication (See issues #462 and #465).
Solve the known compatibility problems associated with Basic/Digest authentication that can lead to unexpected errors (Refer to issue #510).
The WebUI can store the token in local storage, enabling users to remain logged in even after restarting their browsers.

Originally created by @sigoden on GitHub (Jan 2, 2025). Original GitHub issue: https://github.com/sigoden/dufs/issues/522 ### Design Proposal - Allow the token to be included in either the query string (`?token=<TOKEN>`) or the request header (`X-TOKEN: <TOKEN>`). - The token will take precedence over the standard authorization header. If the token authentication fails, the system will then fall back to using the authorization header for authentication. - Each user will be assigned a unique token. The token will be refreshed every time the `dufs` service is restarted. ### Why need this features - Some clients are unable to download protected resources due to their limitations in handling Basic/Digest authentication (See issues #462 and #465). - Solve the known compatibility problems associated with Basic/Digest authentication that can lead to unexpected errors (Refer to issue #510). - The WebUI can store the token in local storage, enabling users to remain logged in even after restarting their browsers.

zhus added the enhancement label 2026-04-08 16:51:51 +03:00

zhus closed this issue

2026-04-08 16:51:51 +03:00

zhus commented

2026-04-08 16:51:52 +03:00

@fredleger commented on GitHub (Jan 28, 2025):

or even better trough saml for great entreprise use cases

@fredleger commented on GitHub (Jan 28, 2025): or even better trough saml for great entreprise use cases

zhus commented

2026-04-08 16:51:52 +03:00

@leoneltrich commented on GitHub (Feb 11, 2025):

I like the idea of tokens. Especially if it was a JWT! From a security standpoint, it would be great if the token was regenerated each time a user logs in using their password. I would use the Authentication header with Bearer for this. Especially with the possibility of JWT and the OAuth 2.0 standard in mind.

@leoneltrich commented on GitHub (Feb 11, 2025): I like the idea of tokens. Especially if it was a JWT! From a security standpoint, it would be great if the token was regenerated each time a user logs in using their password. I would use the Authentication header with Bearer for this. Especially with the possibility of JWT and the OAuth 2.0 standard in mind.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sigoden/dufs#302