Send "Authorization" header with requests to the backend

[mathio]

The issue

We have a VRT backend deployed. However it requires Authorization header for access in order not to be publicly accessible for anyone.

Proposed solution

Add optional "authHeader" setting / VRT_AUTH_HEADER env variable. If present, its value can be added to the AxiosRequestConfig as Authorization header to ensure it is sent with all requests to the backend.

This allows the backend not to be publicly available. It provides support for any Authorization type since the full value of the header is provided from the config.

[pashidlos]

@mathio could you elaborate how this header is used by backend?
currently backend is protected by API key for SDK requests and Bearer token for the rest

[mathio]

There is a load balancer with basic auth in front of the VRT dashboard.

There was a concern in our security team to open the VRT dashboard to the public. I think the main concern was the signups were open to anyone (which do not seem configurable).

[pashidlos]

@mathio yeah, atm anyone with access could create account with read-only access by default via Frontend
have you tried to pass it via url like this?

  "apiUrl": "http://username:password@localhost:4200",

could you elaborate the reason to open frontend publicly? is there any issues with accessing it via your company VPN?

[mathio]

I will try the approach you suggested, thanks.

We want to run visual tests on a public project. Github Actions on public repos can not run using self-hosted containers. For private repos we use self-hosted containers with VPN setup.

[mathio]

Thank you @pashidlos , your suggestion worked for our use-case.

I think we can close this issue.