mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-16 07:04:23 -05:00
Closed
opened 2026-04-26 01:30:07 -05:00 by GiteaMirror
·
8 comments
No Branch/Tag Specified
master
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
api-browser-custom-data-dir
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
No Label
feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#41953
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @max-tet on GitHub (Mar 14, 2023).
Original GitHub issue: https://github.com/actualbudget/actual/issues/1092
Verified feature request does not already exist?
💻
Pitch: what problem are you trying to solve?
When self-hosting multiple applications, you really want to have a single point for user management and authentication. It is annoying to login to each and every app seperately.
Describe your ideal solution to this problem
A pretty simple way to centralize authentication is achieved by deploying apps behind a reverse proxy, and use proxy auth. The proxy handles authentication in some way and sets http headers containing the username that was successfully logged-in. The apps read the headers and associate incoming requests to that user.
The perfect proxy auth feature for me would work like this:
Other SSO methods like OIDC still require the user to login with each app, even it no credentials are required. It is still an additional step that is unneeded and hurting the user experience.
Here are some examples of apps that feature proxy authentication: FreshRSS, LinkDing, Navidrome.
Additional context:
I am using the app for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.
Teaching and learning
The documentation should contain a section about proxy auth where the configuration is described.
@j-f1 commented on GitHub (Mar 14, 2023):
How would you feel about generating an auth token and then having the proxy inject a
Authorization: Bearer ${token}header in all requests? I don’t think most existing setups would work well since they are intended to work for multiple users, although we certainly could move to one of them if/when we add multi-user support.@max-tet commented on GitHub (Mar 14, 2023):
Right, I did not consider that Actual has no user management/is a single-user app.
In that case, tbh, the most straightforward approach would be to offer an option to just disable the password prompt completely. But I have seen a discusson about this which was deemed too insecure if I am not mistaken. I personally don't agree, after all the option would have to be actively enabled.
The alternative with the token is an interesting option. If it works for me would depend on how the token is generated and how the proxy would get to it. If Actual generates it itself, I don't think it would work. It would have to be known before the app is started.
It could be set by an environment variable, e.g.
AUTH_TOKEN=supersecrettoken. Perhaps also specify the header key likeAUTH_TOKEN_HEADER=auth-token. Then, the proxy would set the headerauth-token=supersecrettoken. (I would skip theBearerprefix.)But again, an option to simply disable the password auth is the most simple approach and totally legitimate imo. You can add a large warning label in the docs that people should setup their proxy properly when using the option.
@github-actions[bot] commented on GitHub (Jun 2, 2023):
✨ Thanks for sharing your idea! ✨
This repository is now using lodash style issue management for enhancements. This means enhancement issues will now be closed instead of leaving them open. This doesn’t mean we don’t accept feature requests, though! We will consider implementing ones that receive many upvotes, and we welcome contributions for any feature requests marked as needing votes (just post a comment first so we can help you make a successful contribution).
The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+
Don’t forget to upvote the top comment with 👍!
@MFYDev commented on GitHub (Sep 7, 2023):
Hi, just think this and found the issue, is there any progress here?
@deathblade666 commented on GitHub (Jan 12, 2024):
Hello, I was pointed to this issue as i was asking about this very thing. trying to setup SSO but dont want to have to double auth. as detailed above if disabling the password prompt or using proxy auth headers could be a thing that would make this possible!!
@joewashear007 commented on GitHub (Feb 9, 2024):
Hell, I am use Authentik for Proxy SSO. I see that the app uses the
X-ACTUAL-TOKENheader which it got from the api. Is it possible to have the nginx proxy pass this header along? I tried setting it withproxy_set_header X-ACTUAL-TOKEN <value from application>but it sadly didn't work.I would love to see this implemented, so that I can do the authentication via Authentik, and them my wife i could simple access the application with our own individual accounts (on the proxy side - i understand there is only one actual account)
@d3x7r0 commented on GitHub (Feb 23, 2024):
Just adding my 2 cents to this feature request. I'm looking into setting up Actual for myself as well and I already use Authelia for authentication which supports header based Auth. It would be great to have Actual support these headers as well.
Here's Authelia's documentation on the feature. They forward 4 headers: Username, User Groups, User Display Name and User Email. Then, tools that support this will usually have some sort of configuration for these headers and a whitelist for proxies they accept headers from (see Organizr's example)
@youngcw commented on GitHub (Jun 13, 2024):
Im going to close this off as completed. The ability to pass a password via header to bypass the server password was added in v24.6.0.
For discussion on more involved login/users please use #524