Is it possible to add an Authentication header to the RPC client?

[realityexpander]

Is it possible to add an Authentication header to the RPC client?

Like this:

// App.kt

suspend fun setupRPC(): NewsService = client.rpc {
	url {
		host = DEV_SERVER_HOST
		port = 8080
		encodedPath = "/api"
	}

	headers {
		append(HttpHeaders.Authorization, "Basic YWRtaW46YWRtaW4=")
	}

	rpcConfig {
		serialization {
			json { }
		}
	}
}.withService()

I tried this, and the header is not being added to the requests.

If this is not the correct functionality, is the work-around to send the authentication along with the RPC calls as a parameter?

[Mr3zee]

Hi! Thank you for the report. Looks like a bug to me, I'll take a look

[EricDeng1001]

Encountered same problem.

[realityexpander]

I'm a RPC newbie... but is it considered safe to pass an Auth string as a parameter, as a temporary workaround? Or would this be a security vulnerability?

[EricDeng1001]

I think it's doable but need huge refactoring of code

[realityexpander]

I think it's doable but need huge refactoring of code

What exactly? Passing a authetntication string as a parameter? My ask is if sending this kind of payload would result in a security vulnerability? Or is sending an data in RPC considered secure as its traveling over https?

[EricDeng1001]

It's same secure as how https is secure. I mean when you need to pass a parameter whenever your function need authentication, this cause huge amount of code modification.
I would usually use "aspect" for this kind of task. In client-server case, it is header authentication.

[realityexpander]

OK, thank you for confirming it’s secure via HTTPS. The parameter passing is acceptable for now, since header authentication is not available yet...

…

On Aug 23, 2024, at 9:01 AM, Eric Deng ***@***.***> wrote: It's same secure as how https is secure. I mean when you need to pass a parameter whenever your function need authentication, this cause huge amount of code modification. I would usually use "aspect" for this kind of task. In client-server case, it is header authentication. — Reply to this email directly, view it on GitHub <#160 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABHLEYVGGBA72UZ347H4E4LZS46DJAVCNFSM6AAAAABMLLBOSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBXGE3DEMJSHE>. You are receiving this because you authored the thread.

[Mr3zee]

@realityexpander I looked into the code and found that headers function you use is the wrong one in Ktor. (public fun headers(builder: HeadersBuilder.() -> Unit): Headers = Headers.build(builder)). It does not add headers, but creates and returns a Headers instance. The correct way would be the write headers.append(HttpHeaders.Authorization, "Basic YWRtaW46YWRtaW4=") or headers[HttpHeaders.Authorization] = "Basic YWRtaW46YWRtaW4="

[realityexpander]

Ah, I see.

Confirming: is this the standard pattern for setting up headers?

[Mr3zee]

Probably yes, though it's better to ask in the ktor slack, for example, or refer to their docs

[realityexpander]

Probably yes, though it's better to ask in the ktor slack, for example, or refer to their docs

OK thank you!