Skip to content

Add basic authentication for HTTP #217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add basic authentication for HTTP #217

wants to merge 3 commits into from
+1,552 −3,551

Conversation

@wangjia184
Copy link

To enable it, just specify the HTTP_USERNAME and HTTP_PASSWORD in environment variables

E.g.

docker run -d --restart=always --name kokoro --gpus all --runtime=nvidia \
   -p 8880:8880 \
   -e HTTP_USERNAME=admin \
   -e HTTP_PASSWORD=pwd \
   remsky/kokoro-fastapi-gpu:v0.2.2

@RBEmerson970
Copy link

WHY??? This app is all local activity! Please do NOT do this! This app is becoming far too complex as it is.

@fireblade2534
Copy link
Collaborator

@wangjia184 why not use the api_key param so it is compatible with openai specs and API design in general

@wangjia184
Copy link
Author

@fireblade2534 how to enable api_key for this API? I am not familar with OpenAI's procotol. is it done by Bearer Authentication? How is it enabled in the docker image? some other environment variables?

Thanks

@wangjia184
Copy link
Author

wangjia184 commented Mar 5, 2025
edited
Loading

@RBEmerson970 local activity also needs authentication.
So, in a network running 10k+ servers, authentication is a mandotary requirement even for internal API. we dont need HTTPS but authentication is always required.

The reason is from ​compliance requirements (e.g., PCI DSS, NIST 800-53, CIS Controls) which explicitly require authentication for all system interfaces, regardless of network locality.

In short, it is not allowed to deploy un-authenticated API in our network even it is only accessed locally because non-compliant endpoints may fail audits or violate contractual obligations.

So, it is really needed. Basic Auth is better than Bearer Authentication and other approaches like OAuth because it is friendly to web browser. You have the choice not enabling it by default.

@RBEmerson970
Copy link

I'd call that in-house, not local. Authentication, etc. becomes a job for your IT staff.

@wangjia184
Copy link
Author

DevOps/IT staff certainly can setup firewall to isolate. but... according to the ​compliance requirement, any API can be accessed from another machine must be authenticated. Unless the API is bound to localhost, otherwise it is not allowed. Even it is in K8S group. I know it is way too strict, but financial institutions always go in this way. it is about obligations instead of technology

@fireblade2534
Copy link
Collaborator

@wangjia184 https://platform.openai.com/docs/api-reference/authentication

@RBEmerson970 I think that having the option for authentication is a good idea as long as it can be disabled. Also the implementation in this pr is not that complex.

@RBEmerson970
Copy link

Option, yes, requirement, no.

IMNSHO the issue heads into commercial vs. private use.

@fireblade2534
Copy link
Collaborator

Agreed authentication should be optional

@wangjia184
Copy link
Author

@wangjia184 https://platform.openai.com/docs/api-reference/authentication

I see, it is Bearer Authentication, that can be implemented

@jcheek
Copy link

jcheek commented Jul 8, 2025

+1 for this, if I'm allowed to vote. It only enforces basic auth if username and password are set, so 100% backward-compatible. But also would love to see (optional) Bearer Auth as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wangjia184 @RBEmerson970 @fireblade2534 @jcheek