Advanced authentication options

[FunDeckHermit]

Is your feature request related to a problem? Please describe.
My photoview instance is running behind Authentik. This causes two login screens for users to be traversed.

Describe the solution you'd like
From simple to advanced there are a couple of options:

1. Disable authentication (Photo browsing without logging in #478)
2. Disable authentication with IP/CIDR whitelist
3. Basic auth (prompt or http://username:password@example.com/)
4. Header based authentication (like Navidrome)
5. oidc/oauth2 integration
6. LDAP integration (LDAP Support #272)

Describe alternatives you've considered
Editing the HTML and hardcode a password at the login screen

Additional context
All options up to option 4 are quite easy to implement without a lot of hassle.
I personally prefer header based authentication as you will be able to pass through additional information in headers. It's also easy to use as each reverse-proxy is able to inject some headers. It's also safe as the Header is a variable and can be different for each instance.

[viktorstrate]

The immediate problem I can think of with something like header based authentication is that loading images relies on cookies as there aren't any ways to send custom headers for <img /> tags.

So the server would have to recognize that an authorized request is made based on the headers and then set the cookie for the response. I guess this might be ok, but I don't know if there might be any pitfalls doing it that way.
I guess the headers could easily become out of sync with the cookie?

[rpatel3001]

Just want to +1 header auth as all my services are behind traefik with traefik-forward auth, which sets X-Forwarded-User after a google login flow. I currently am the only user so disabling auth altogether would also work for now. I'm not familiar with this codebase and how it uses cookies, but grafana is another potential reference for implementing this.

[viktorstrate]

@rpatel3001 Grafana might be worth a look.

Maybe having an environment variable to completely disable any form of authentication and just have a single admin user that is always logged in, might be a nice start.
I think that would be simple and useful for many users who either run the instance locally-only or behind other means of authentication.
That way cookie authentication could also simply be turned off completely.

[Sieboldianus]

This is only somewhat related: Is there any way to increase the lifetime of the auth cookie?

I have Photoview set up internally for several family members, some of them are too old to deal with username/passwords. Currently, I've set up Shared Photoview Links on their Android homescreens, which don't require logins. If I could extend the lifetime of auth cookies (lets say up to 1 year), they could use the native PWA with their own useraccounts.

[alexanderadam]

Implementing OpenID Connect would also solve issue 565 for some users since IDP like Authelia, Keycloak or Authentik support OTP out of the box.

There are also battle tested packages available for Go (i.e. go-oidc, oidc and others).

[Akshay-Hegde]

@FunDeckHermit Did you find any way to disable authentication ?

[Akshay-Hegde]

@FunDeckHermit : I managed to show using different way #818 (comment)

[kkovaletp]

@jordy2254, I think that this discussion might be interesting to you in the scope of user management epic