starred/ntfy
1
0
Fork 0
mirror of https://github.com/binwiederhier/ntfy.git synced 2026-05-09 08:26:00 +02:00
Code Issues 368 Projects Packages Wiki Activity

[GH-ISSUE #601] Authentication: match username from configurable header #456

New issue
Open
opened 2026-05-07 00:24:20 +02:00 by BreizhHardware · 14 comments
BreizhHardware commented 2026-05-07 00:24:20 +02:00
Owner
Copy link

Originally created by @ngerstle on GitHub (Feb 4, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/601

I'd like to elevate https://github.com/binwiederhier/ntfy/issues/19#issuecomment-1023118885 as an explicit feature request, that I believe enables administrators/users that self-host to handle both https://github.com/binwiederhier/ntfy/issues/530 and https://github.com/binwiederhier/ntfy/issues/296 (and may make a custom solution for https://github.com/binwiederhier/ntfy/issues/297 easier for users to implement).

I'd propose a configuration option (user-header) specifying a trusted header that a proxy in front of ntfy could set, and whose value is matched to a username. If the value matches an existing username, then ntfy assumes the request/connection to originate from that user, delegating the responsibility for credential validation to the proxy.

Example:
If the configuration for the server (server.yml) has the following:

user-header: x-forwarded-user

Then a request reaching ntfy with

POST /mytopic HTTP/1.1
Host: ntfy.sh
x-forwarded-user: ngerstle

Backup successful

would be trusted to be made by the user ngerstle.

Authorization, and user management (excepting possible changes around passwords, if desired), would not change.

This would allow any number of different authentication options for access (depending on client support), ranging from the presently implemented basic, to LDAP, OIDC, OAuth2, JWT, mTLS, etc.
Options for proxies are numerous, and include (among others):

If a dependency on a proxy is an acceptable requirement for authentication, then existing password storage and validation code could be removed entirely.

Client support for different authentication forms would vary, but differences already exist between client support for different features (streams, for example). The selection of authentication mechanism(s) can be left to administrators, and they would need to evaluate which clients support what forms of authentication.
Ideally, all clients support all forms of authentication, but applications can add support independently, and as there is interest once reverse proxies are supported. I would suggest adding mTLS/OIDC/OAuth2 to the Android/iOS apps; most programming languages have support for acquiring credentials based on common authentication flows, and if there are custom tools built I'd suggest using standard libraries.

Open question:
I defer on whether it should be possible to enable multiple forms of authentication at a time.

  1. There is the option to allow both forms of user determination to function concurrently (prioritizing the configured header if present ahead of/behind basic auth?), or making the two options mutually exclusive. Mutually exclusive authentication is easier to reason about, but makes migration between forms harder, and can result in users being locked out (if no admin user exists/can be authenticated to, though this may be a risk in any case).

I do want to compliment the project- barring some typos while switching reverse proxies, I was able to start hosting ntfy remarkably quickly, and have found it easy to use- thanks for the contribution to the opensource ecosystem!

Originally created by @ngerstle on GitHub (Feb 4, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/601 I'd like to elevate https://github.com/binwiederhier/ntfy/issues/19#issuecomment-1023118885 as an explicit feature request, that I believe enables administrators/users that self-host to handle both https://github.com/binwiederhier/ntfy/issues/530 and https://github.com/binwiederhier/ntfy/issues/296 (and may make a custom solution for https://github.com/binwiederhier/ntfy/issues/297 easier for users to implement). I'd propose a configuration option (`user-header`) specifying a trusted header that a proxy in front of ntfy could set, and whose value is matched to a username. If the value matches an existing username, then ntfy assumes the request/connection to originate from that user, delegating the responsibility for credential validation to the proxy. Example: If the configuration for the server (`server.yml`) has the following: ``` user-header: x-forwarded-user ``` Then a request reaching ntfy with ``` POST /mytopic HTTP/1.1 Host: ntfy.sh x-forwarded-user: ngerstle Backup successful ``` would be trusted to be made by the user `ngerstle`. Authorization, and user management (excepting possible changes around passwords, if desired), would not change. This would allow any number of different authentication options for access (depending on client support), ranging from the presently implemented basic, to LDAP, OIDC, OAuth2, JWT, mTLS, etc. Options for proxies are numerous, and include (among others): - [traefik](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) - [caddy](https://caddyserver.com/docs/caddyfile/directives/forward_auth) - [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) - [pomerium](https://www.pomerium.com/) - [cloudflare](https://developers.cloudflare.com/cloudflare-one/identity/) - [tailscale](https://github.com/tailscale/tailscale/tree/main/cmd/nginx-auth) If a dependency on a proxy is an acceptable requirement for authentication, then existing password storage and validation code could be removed entirely. Client support for different authentication forms would vary, but differences already exist between client support for different features (streams, for example). The selection of authentication mechanism(s) can be left to administrators, and they would need to evaluate which clients support what forms of authentication. Ideally, all clients support all forms of authentication, but applications can add support independently, and as there is interest once reverse proxies are supported. I would suggest adding mTLS/OIDC/OAuth2 to the Android/iOS apps; most programming languages have support for acquiring credentials based on common authentication flows, and if there are custom tools built I'd suggest using standard libraries. Open question: I defer on whether it should be possible to enable multiple forms of authentication at a time. 1. There is the option to allow both forms of user determination to function concurrently (prioritizing the configured header if present ahead of/behind basic auth?), or making the two options mutually exclusive. Mutually exclusive authentication is easier to reason about, but makes migration between forms harder, and can result in users being locked out (if no admin user exists/can be authenticated to, though this may be a risk in any case). I do want to compliment the project- barring some typos while switching reverse proxies, I was able to start hosting ntfy remarkably quickly, and have found it easy to use- thanks for the contribution to the opensource ecosystem!
BreizhHardware commented 2026-05-07 00:24:21 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Feb 5, 2023):

I do not have the time to fully answer, but I do like this idea, and the WIP implementation doesn't look half bad.

It is worth noting that Android/iOS/web client also need to support whatever you are implementing, which may makes things a lot trickier.

Also: Implementing anything on top of main right now is not a good idea. I have been working on the user-account branch for over a month now, so it may be a good idea to re-base (re-implement) on top of that.

<!-- gh-comment-id:1416886911 --> @binwiederhier commented on GitHub (Feb 5, 2023): I do not have the time to fully answer, but I do like this idea, and the WIP implementation doesn't look half bad. It is worth noting that Android/iOS/web client also need to support whatever you are implementing, which may makes things a lot trickier. Also: Implementing anything on top of `main` right now is not a good idea. I have been working on the `user-account` branch for over a month now, so it may be a good idea to re-base (re-implement) on top of that.
BreizhHardware commented 2026-05-07 00:24:21 +02:00
Author
Owner
Copy link

@ngerstle commented on GitHub (Feb 5, 2023):

On reflection, as long as the topic and operation are easily extracted from the request in a generic fashion, perhaps handling authorization external to ntfy is simpler.

It seems as though ("Publish as JSON" aside), the topic is always in the url; and the action (publish/subscribe) can be determined by http method (and url, in the case of webhooks)- if this is the case, then rules in a reverse proxy can handle a fair bit of the work, with significant flexibility (mTLS + OPA, client support aside).

It seems like there's quite a bit of work in the user-account branch, and while I see work towards token based auth, the change is significant enough that I think I'll defer future work on https://github.com/binwiederhier/ntfy/pull/602 until you've completed the user-account work.

<!-- gh-comment-id:1417707665 --> @ngerstle commented on GitHub (Feb 5, 2023): On reflection, as long as the topic and operation are easily extracted from the request in a generic fashion, perhaps handling authorization external to ntfy is simpler. It seems as though ("Publish as JSON" aside), the topic is always in the url; and the action (publish/subscribe) can be determined by http method (and url, in the case of webhooks)- if this is the case, then rules in a reverse proxy can handle a fair bit of the work, with significant flexibility (mTLS + OPA, client support aside). It seems like there's quite a bit of work in the `user-account` branch, and while I see work towards token based auth, the change is significant enough that I think I'll defer future work on https://github.com/binwiederhier/ntfy/pull/602 until you've completed the `user-account` work.
BreizhHardware commented 2026-05-07 00:24:21 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Feb 8, 2023):

I do think the user-account branch is very close to completeness. Structurally nothing big will change. But if you'd like to wait a few days until I merge I understand.

I do not think that handling authorization should be done outside of ntfy. authn is easy to outsource to another app, but authz is really really bound to an application usually, because it depends on resources (topics).

<!-- gh-comment-id:1421981467 --> @binwiederhier commented on GitHub (Feb 8, 2023): I do think the `user-account` branch is very close to completeness. Structurally nothing big will change. But if you'd like to wait a few days until I merge I understand. I do not think that handling authorization should be done outside of ntfy. authn is easy to outsource to another app, but authz is really really bound to an application usually, because it depends on resources (topics).
BreizhHardware commented 2026-05-07 00:24:21 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Feb 23, 2023):

FYI the user-account branch is merged.

<!-- gh-comment-id:1442092878 --> @binwiederhier commented on GitHub (Feb 23, 2023): FYI the user-account branch is merged.
BreizhHardware commented 2026-05-07 00:24:21 +02:00
Author
Owner
Copy link

@helmut72 commented on GitHub (Nov 3, 2024):

FYI the user-account branch is merged.

Is there any documentation? I don't find anything from:
https://github.com/binwiederhier/ntfy/pull/602

<!-- gh-comment-id:2453579321 --> @helmut72 commented on GitHub (Nov 3, 2024): > FYI the user-account branch is merged. Is there any documentation? I don't find anything from: https://github.com/binwiederhier/ntfy/pull/602
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@vic1707 commented on GitHub (Sep 14, 2025):

@helmut72 hi, were you able to find any?

<!-- gh-comment-id:3289709520 --> @vic1707 commented on GitHub (Sep 14, 2025): @helmut72 hi, were you able to find any?
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Jan 11, 2026):

I believe this is the branch that we were discussing: https://github.com/binwiederhier/ntfy/pull/812

I think this would help people a lot, so I'll try to do this next time I work on the server.

<!-- gh-comment-id:3735064229 --> @binwiederhier commented on GitHub (Jan 11, 2026): I believe this is the branch that we were discussing: https://github.com/binwiederhier/ntfy/pull/812 I think this would help people a lot, so I'll try to do this next time I work on the server.
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Jan 31, 2026):

I've tried to implement this and I have parts of it working nicely. I have a "auth-user-header" config option and the web app mostly works with it (ntfy behind Authelia). The API is also fine with it, but it just came to me that I have no clue how the Android app would handle this setup.

I know lots of people want this, but the design is not clear to me.

<!-- gh-comment-id:3829095362 --> @binwiederhier commented on GitHub (Jan 31, 2026): I've tried to implement this and I have parts of it working nicely. I have a "auth-user-header" config option and the web app mostly works with it (ntfy behind Authelia). The API is also fine with it, but it just came to me that I have no clue how the Android app would handle this setup. I know lots of people want this, but the design is not clear to me.
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Feb 1, 2026):

Please see the current PR here: https://github.com/binwiederhier/ntfy/pull/1579

I do not know how to resolve the "Android app" problem, so I will (for now) abandon this work until somebody chimes in with smart comments, or I have an epiphany. :-D Help is appreciated.

<!-- gh-comment-id:3829999712 --> @binwiederhier commented on GitHub (Feb 1, 2026): Please see the current PR here: https://github.com/binwiederhier/ntfy/pull/1579 ❗ ❗ I do not know how to resolve the "Android app" problem, so I will (for now) abandon this work until somebody chimes in with smart comments, or I have an epiphany. :-D Help is appreciated.
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@JoeJoeTV commented on GitHub (Feb 1, 2026):

I do not know how to resolve the "Android app" problem, so I will (for now) abandon this work until somebody chimes in with smart comments, or I have an epiphany. :-D Help is appreciated.

Not sure if the Android App currently supports this, but one idea would be to use access tokens.
Usually, if interacting with an API, one is not in a browser environment, so e.g. the Authelia login page can't be displayed. In that scenario, one might still want to use the API outside of a browser, so an access token can be created while logged in, which can then be used to access the API with authelitcation.
This could also be used for the android app and would also maybe make it easier to revoke access from android clients by just deleting the token in the web interface or from the CLI.

Just my two cents.

<!-- gh-comment-id:3831118746 --> @JoeJoeTV commented on GitHub (Feb 1, 2026): > ❗ ❗ I do not know how to resolve the "Android app" problem, so I will (for now) abandon this work until somebody chimes in with smart comments, or I have an epiphany. :-D Help is appreciated. Not sure if the Android App currently supports this, but one idea would be to use access tokens. Usually, if interacting with an API, one is not in a browser environment, so e.g. the Authelia login page can't be displayed. In that scenario, one might still want to use the API outside of a browser, so an access token can be created while logged in, which can then be used to access the API with authelitcation. This could also be used for the android app and would also maybe make it easier to revoke access from android clients by just deleting the token in the web interface or from the CLI. Just my two cents.
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@JoeJoeTV commented on GitHub (Feb 1, 2026):

I do not know how to resolve the "Android app" problem, so I will (for now) abandon this work until somebody chimes in with smart comments, or I have an epiphany. :-D Help is appreciated.

Another idea would be to integrate this token generation into the app, so if the instale is e.g. protected by e.g. Authelia, the app opens the browser, such that the user can log in and is redirected to some endpoint that generates a token and redirects to an app link, which is then handled by the ntfy app to store the generated token locally for accessing the API.

I think this is how this kind of integration is usually done, where a user wants to login to an remote service from an app. The app redirects to login page and that somehow sends the token that was generated after login back to the app so it can use it afterwards.

<!-- gh-comment-id:3831122669 --> @JoeJoeTV commented on GitHub (Feb 1, 2026): > ❗ ❗ I do not know how to resolve the "Android app" problem, so I will (for now) abandon this work until somebody chimes in with smart comments, or I have an epiphany. :-D Help is appreciated. Another idea would be to integrate this token generation into the app, so if the instale is e.g. protected by e.g. Authelia, the app opens the browser, such that the user can log in and is redirected to some endpoint that generates a token and redirects to an app link, which is then handled by the ntfy app to store the generated token locally for accessing the API. I think this is how this kind of integration is usually done, where a user wants to login to an remote service from an app. The app redirects to login page and that somehow sends the token that was generated after login back to the app so it can use it afterwards.
BreizhHardware commented 2026-05-07 00:24:22 +02:00
Author
Owner
Copy link

@ser commented on GitHub (Feb 1, 2026):

An ideal solution would be simply OpenID

<!-- gh-comment-id:3831171340 --> @ser commented on GitHub (Feb 1, 2026): An ideal solution would be simply OpenID
BreizhHardware commented 2026-05-07 00:24:23 +02:00
Author
Owner
Copy link

@ser commented on GitHub (Feb 1, 2026):

An ideal solution would be simply OpenID

<!-- gh-comment-id:3831171367 --> @ser commented on GitHub (Feb 1, 2026): An ideal solution would be simply OpenID
BreizhHardware commented 2026-05-07 00:24:23 +02:00
Author
Owner
Copy link

@KucharczykL commented on GitHub (May 4, 2026):

From my limited experience, OIDC should indeed solve this. For example Authentik will pull up a login page and then communicate with the app to authenticate the user. I am not an expert but I use header authentication where there is no other option but it seems it's not very suitable for more complex use cases (I would count mobile apps into this).

Maybe a good in-between would be to provide the header with the caveat that only web is supported and work on OIDC for all the other use cases.

<!-- gh-comment-id:4370202198 --> @KucharczykL commented on GitHub (May 4, 2026): From my limited experience, OIDC should indeed solve this. For example Authentik will pull up a login page and then communicate with the app to authenticate the user. I am not an expert but I use header authentication where there is no other option but it seems it's not very suitable for more complex use cases (I would count mobile apps into this). Maybe a good in-between would be to provide the header with the caveat that only web is supported and work on OIDC for all the other use cases.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/web/fast-uri-3.1.2
email-verification
attachment-no-http2
attachment-fixes
attachment-s3
config-generator
postgres-replica
dockers-v2
postgres-support
postgres-webpush+user+message
postgres-webpush+user
postgres-webpush
1364-copy-action
crashfix
user-header
scalar-api-docs
cancel-scheduled
update-available
windows-server
303-update-notifications
postgres
admin-ui
require-login
http-clipboard
message-cache-lock
debian-stripe
predefined-users
busy-timeout
template-dir
ipv6
client-ip-header
apns-fix
feat_optional_require_login
security-updates
pg-message-cache
templating-disallow
templating-3
templating-2
message-size-limit+delay-limit
remove-rate-topics
html-emails
cf-priority
acl-underscores
auth-user-header
markdown
img-attach
web-improvements
utf8-headers
matrix-507-reject
http-response-writer
new-homepage-design
e2e
canary
windows
electron
update-messages
webhook-templating
v2.22.0
v2.21.0
v2.20.1
v2.20.0
v2.19.2
v2.19.1
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.14.0
v2.13.0
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.31.0
v1.30.1
v1.29.1
v1.29.0
v1.28.0
v1.27.2
v1.27.1
v1.26.0
v1.25.2
v1.25.1
v1.25.0
v1.24.0
v1.23.0
v1.22.0
v1.21.2
v1.21.1
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.0
v1.14.1
v1.14.0
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.2
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.3
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
ai-generated

   
android-app

   
android-app

   
android-app

   
🪲 bug

   
build

   
build

   
dependencies

   
docs

   
enhancement

   
enhancement

   
🔥 HOT

   
in-progress 🏃

   
ios

   
prio:low

   
prio:low

   
pull-request
Mirrored from GitHub Pull Request

  
question

   
🔒 security

   
server

   
server

   
unified-push

   
web-app

   
website
No labels
ai-generated
android-app
android-app
android-app
🪲 bug
build
build
dependencies
docs
enhancement
enhancement
🔥 HOT
in-progress 🏃
ios
prio:low
prio:low
pull-request
question
🔒 security
server
server
unified-push
web-app
website
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ntfy#456
No description provided.