Proposal: Secure, Persistent JWT/HTTPS Token Authentication for Custom ComfyUI Servers #2544
Replies: 1 comment 1 reply
-
|
Isn't there a setting already that injects a bearer token? It doesn't have UI, but I don't understand why you have to change code after every update, the token should persist in settings.json and continue working. I'm okay with adding UI to enter the token, just needs to be clear that it's optional so people with local servers (by far the most common) aren't confused. I'm not convinced it's necessary to add all the complexity and platform-dependent code to for credential storage (and all the other LLM bloat) with reliance on command line tools, these things are likely to break and hard to reproduce. Storing plain text is not ideal but I don't see a big enough threat here. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Problem Description
Many users deploy remote ComfyUI instances or endpoints behind secure reverse proxies, API gateways, or authentication providers (e.g., Cloudflare Access, Authelia, NGINX Basic/Bearer auth, etc.) that require a token or JWT to access both HTTP endpoints and WebSocket connections.
Currently, the plugin lacks a dedicated, persistent interface in the settings UI to supply an authorization token for custom servers. If a remote setup requires token-based authentication, users have to manually configure headers or re-enter details, which lacks persistence and leads to security exposures.
Proposed Solution
I propose adding secure, persistent JWT/Bearer token authentication support for Custom Servers with the following architecture:
QLineEdit.Password) labeled Authorization Token under the Custom Server configuration layout.settings.json(where it is saved as an empty string"").advapi32.dll(CredWriteW/CredReadWviactypes)./usr/bin/securitytool).secret-toolCLI fromlibsecret).keyringpackage if available, but include native fallbacks (ctypesandsubprocessCLI wrappers) so the credential storage works out-of-the-box in Krita's embedded Python interpreter without requiring users to run pip install. Nomachine-idor hardware UUIDs are read.RequestManagerto automatically inject the token as a Bearer token header (Authorization: Bearer <token>) on all HTTP requests.ComfyClientto inject the same token during the WebSocket connection upgrade handshake viaadditional_headers.model/root.pylogs).Implementation Details
I have prepared and tested changes covering:
ai_diffusion/secure_storage.py[NEW]: The secure storage helper managing OS keychain operations and fallback checks.ai_diffusion/settings.py: Interceptssave()andload()to direct theserver_authorizationsetting to secure storage, keepingsettings.jsonsecure.ai_diffusion/ui/settings.py: Adds theserver_authorizationpassword-echo input field to the settings tab UI.ai_diffusion/model/connection.py: Passes the decrypted token to the client.ai_diffusion/backend/comfy_client.py: Injects the token into HTTP client headers and WebSocket handshakes.tests/test_secure_storage.py&tests/test_auth.py[NEW]: Thorough unit tests covering local keyrings, mock overrides, HTTP auth injection, and WebSocket handshake arguments.docs/src/content/docs/authentication.mdx[NEW]: Comprehensive user-facing documentation integrated directly into the Astro Starlight handbook.Benefits
settings.json.And the best part? It's already coded. See for yourself here: https://github.com/TheModdersDen/krita-ai-diffusion/tree/feat/better-auth-handling
I'm open to suggestions/changes to this codebase, but I've basically gotten tired of having to hand-code in the auth code every time this plugin updates (thus breaking my code). I feel it's time it is officially added into the plugin.
Beta Was this translation helpful? Give feedback.
All reactions