Setting/passing password as cookie is not working anymore

[weikai]

For security reason, I run code-server with a custom password. On the Apache server, I set the password cookie on the RequestHeader. It's working fine on the first and second official V2 releases but not anymore on the newer releases. It keeps redirecting to /login even though the password cookie is already there. Also, when it redirects, can code-server updated to redirect to ./login not /login? Proxy server might forward a directory to code-server, sending user back to /login is returning 404. Can the problems be fixed or implement basic authentication on code-server?

Set password cookie for requests

`RequestHeader set Cookie "password=password"
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443

RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /drupal/(.*) ws://ide.drupal:8080/$1 [P,L]
ProxyPass /drupal/ http://ide.drupal:8080/ nocanon
ProxyPassReverse /drupal/ http://ide.drupal:8080/`

Run code-server with custom password

PASSWORD='password' /opt/vscode/code-server --auth password --port 8080 /www

[sr229]

Our recommended way is to pass the password as a environment variable. Based on my own testing passwords should still work as intended, but I suggest doing it as a variable instead of intercepting it from the reverse-proxy.

[code-asher]

Also, when it redirects, can code-server updated to redirect to ./login not /login? Proxy server might forward a directory to code-server, sending user back to /login is returning 404.

Using --base-path should fix this. For example code-server --base-path /drupal.

On the Apache server, I set the password cookie on the RequestHeader. It's working fine on the first and second official V2 releases but not anymore on the newer releases.

The authentication cookie has changed. It's now "key" and it's a hash of the password. But like @sr229 mentioned you're safer with the environment variable since although for now the hash is static it could become dynamic in the future (by using a generated salt).

[code-asher]

Actually I see you're already using the environment variable, which makes sense since otherwise you wouldn't have a custom password at all. 😛

So you could update your cookie to use "key=password hash" but is there any reason you couldn't remove that line and log in normally through the browser?

Also I'm not sure what you mean by implementing basic authentication in code-server. Isn't basic authentication something you can handle from the proxy?

[weikai]

Thank you all. Setting the key with password hash cookie fixed the problem. No basic authentication is need since setting key cookie is working.

I do authentication on proxy server and want to make sure no one on the LAN can access code-server without authentication. As a result, I set custom password on code-server and configured proxy server to pass the key cookie.