[GH-ISSUE #2781] [Bug]: Reverse proxy header auth still prompts for password #26900

New Issue

GiteaMirror · 2026-04-18T03:15:45-05:00

GiteaMirror commented

2026-04-18 03:15:45 -05:00

Originally created by @slapcat on GitHub (May 19, 2024).
Original GitHub issue: https://github.com/actualbudget/actual/issues/2781

Verified issue does not already exist?

I have searched and found no existing issue
I will be providing steps how to reproduce the bug (in most cases this will also mean uploading a demo budget file)

What happened?

When using header auth, the web UI still prompts for a password. I'm asked to enter one, but then it will accept any password. Server logs show this when I login:

May 18 16:05:32 actualbudget yarn[832]: Logging in via header
May 18 16:05:32 actualbudget yarn[832]: HEADER VALUE: ************
May 18 16:05:32 actualbudget yarn[832]: Header Auth Login permitted from xx.xx.xx.xx

Header auth has been configured in the src/load-config.js file as the default login method:

let defaultConfig = {
  loginMethod: 'header',

I'm using Apache2 reverse proxy and configured it along the lines of the example here:

  <LocationMatch "/account/login/">
  ProxyPass http://xx.xx.xx.xx:5006/
  ProxyPassReverse http://xx.xx.xx.xx:5006/
  Header add X-ACTUAL-PASSWORD "****"
  RequestHeader set X-ACTUAL-PASSWORD "****"
  </LocationMatch>

  ProxyPass / http://xx.xx.xx.xx:5006/
  ProxyPassReverse / http://xx.xx.xx.xx:5006/

  Header add X-ACTUAL-PASSWORD "****"
  RequestHeader set X-ACTUAL-PASSWORD "****"

I can see the header is correctly added when I am given the password prompt:

Where are you hosting Actual?

Locally via Yarn

What browsers are you seeing the problem on?

Firefox, Chrome

Operating System

Linux

Originally created by @slapcat on GitHub (May 19, 2024). Original GitHub issue: https://github.com/actualbudget/actual/issues/2781 ### Verified issue does not already exist? - [X] I have searched and found no existing issue - [X] I will be providing steps how to reproduce the bug (in most cases this will also mean uploading a demo budget file) ### What happened? When using header auth, the web UI still prompts for a password. I'm asked to enter one, but then it will accept any password. Server logs show this when I login: ``` May 18 16:05:32 actualbudget yarn[832]: Logging in via header May 18 16:05:32 actualbudget yarn[832]: HEADER VALUE: ************ May 18 16:05:32 actualbudget yarn[832]: Header Auth Login permitted from xx.xx.xx.xx ``` Header auth has been configured in the `src/load-config.js` file as the default login method: ``` let defaultConfig = { loginMethod: 'header', ``` I'm using Apache2 reverse proxy and configured it along the lines of [the example here](https://github.com/twk3/actual-auth-header-example/blob/main/nginx-data/default.conf): ``` <LocationMatch "/account/login/"> ProxyPass http://xx.xx.xx.xx:5006/ ProxyPassReverse http://xx.xx.xx.xx:5006/ Header add X-ACTUAL-PASSWORD "****" RequestHeader set X-ACTUAL-PASSWORD "****" </LocationMatch> ProxyPass / http://xx.xx.xx.xx:5006/ ProxyPassReverse / http://xx.xx.xx.xx:5006/ Header add X-ACTUAL-PASSWORD "****" RequestHeader set X-ACTUAL-PASSWORD "****" ``` I can see the header is correctly added when I am given the password prompt: ![image](https://github.com/actualbudget/actual/assets/52802566/0a5324c8-025e-43b0-8c30-d47a375ab3d6) ### Where are you hosting Actual? Locally via Yarn ### What browsers are you seeing the problem on? Firefox, Chrome ### Operating System Linux

GiteaMirror added the bug label 2026-04-18 03:15:45 -05:00

GiteaMirror closed this issue

2026-04-18 03:15:45 -05:00

GiteaMirror commented

2026-04-18 03:15:46 -05:00

@twk3 commented on GitHub (May 20, 2024):

@slapcat the changes to support header auth are only in the master branch at the moment. So you need both the master branch of acutal-server AND the master branch of the UI. The server master branch comes with the released version of the UI, and not master, which is likely resulting in the issue you are seeing.

@twk3 commented on GitHub (May 20, 2024): @slapcat the changes to support header auth are only in the master branch at the moment. So you need both the master branch of acutal-server AND the master branch of the UI. The server master branch comes with the released version of the UI, and not master, which is likely resulting in the issue you are seeing.

GiteaMirror commented

2026-04-18 03:15:47 -05:00

@slapcat commented on GitHub (May 20, 2024):

Thanks for clarifying that @twk3 ! I'm trying to figure out how to use the master branch of the UI with the actual-server, but I'm having trouble finding the common files between the two. Can you share the steps?

@slapcat commented on GitHub (May 20, 2024): Thanks for clarifying that @twk3 ! I'm trying to figure out how to use the master branch of the UI with the actual-server, but I'm having trouble finding the common files between the two. Can you share the steps?

GiteaMirror commented

2026-04-18 03:15:47 -05:00

@twk3 commented on GitHub (May 21, 2024):

In the actual checkout, you build the UI using:

yarn install
./bin/package-browser

Then in the actual-server checkout, you add the UI as a file path based dependency.

yarn add <path-to-actual-checkout/packages/desktop-client

And then running the server like normal should give you the UI that you built

@twk3 commented on GitHub (May 21, 2024): In the actual checkout, you build the UI using: 1. `yarn install` 2. `./bin/package-browser` Then in the actual-server checkout, you add the UI as a file path based dependency. 1. `yarn add <path-to-actual-checkout/packages/desktop-client` And then running the server like normal should give you the UI that you built

GiteaMirror commented

2026-04-18 03:15:48 -05:00

@slapcat commented on GitHub (May 21, 2024):

Thanks! Once I did that the header auth worked as expected.

@slapcat commented on GitHub (May 21, 2024): Thanks! Once I did that the header auth worked as expected.

Sign in to join this conversation.

Branches Tags

master

claude/plan-ci-secure-context-OtEe1

matiss/crdt-source-loading

worktree-misty-wishing-rain

matiss/release-26.5.1

youngcw/fix-bank-sync-options

release/v26.5.1

dependabot/npm_and_yarn/uuid-14.0.0

claude/hide-default-categories-1cwBZ

matiss/crdt-protobuf

release/26.5.0

claude/update-issue-template-ykMNn

claude/fix-issue-7667-DPXi3

cursor/formula-feedback-improvements-4223

cursor/resolve-pr-7449-ee11

claude/fix-typescript-build-error-JPtZ5

jfdoming/api-tokens-part-3

jfdoming/api-tokens-part-2

jfdoming/api-tokens-part-1

claude/speed-up-vrt-workflow-ZAyI5

claude/crdt-version-auto-publish-Ph1BH

copilot/add-repository-configs-to-packages

worktree-compressed-drifting-ritchie

worktree-mellow-strolling-dawn

matiss/browser-api

claude/api-consumer-verification-kfz1K

feature/enable-banking

cursor/transaction-table-rewrite-f077

pr-7454

claude/fix-issue-7410-LLLQ4

revert-7350-trim-deps

revert-7220-sankey-report

revert-7242-fix/split-parent-update-corruption

revert-7281-generate-icons

claude/electron-to-tauri-migration-LjBN8

worktree-remotion

claude/browser-compatible-api-QbhHh

claude/improve-cli-transactions-waTUY

claude/publish-react-native-ios-j8qoT

js-proxy

claude/fix-flaky-ci-job-5gDdz

react-query-rules

react-query-useSchedules

claude/nightly-theme-validation-scan-DzOGD

claude/debug-simplefin-error-ZuKzB

matiss/desktop-client-subpath-imports

claude/fix-simplefin-ssrf-T31gX

add-claude-github-actions-1772738270730

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#26900