[FEAT] Bypass password authentication for API calls

[helgehatt]

Is this a new feature request?

• I have searched the existing issues

Wanted change

I have a server running on https://3000.example.tld and a client running on https://4000.example.tld
When I navigate to https://3000.example.tld I am redirected to https://3000.example.tld/login with

Welcome to code-server
Please log in below. Password was set from $PASSWORD.

and after inputting password I can navigate to https://3000.example.tld/api/endpoint to get a valid JSON response.

However, when the client running on https://4000.example.tld tries to request a resource on the server, I simply get 401, because the client has obviously not "logged in" to the server. How is the correct way to solve this?

Reason for change

The code-server is exposed to the internet, so I can't simply remove the password authentication. However, the client and server have their own authentication mechanisms, so it wouldn't be necessary with password authentication on the proxy domains.

Proposed code change

No response

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[johnykes]

Also interested on this topic.
I want a easy way to authenticated, get the cookie, and also start the VSCODE application automatically, because right now, even if I have the cookies, if I do a post request to a VSCODE extension for example, the vscode is not even running.

[j0nnymoe]

Sounds like something that should be requested to the upstream project, we just package what's released.

[helgehatt]

For anyone else coming here, the solution is to send requests from the client with credentials. That way the code-server-session cookie is sent with the request and the client can bypass the server's password authentication.

Specifically in my case, I added

axios.defaults.withCredentials = true

client-side, and

app.enableCors({
  origin: process.env.NX_PUBLIC_CLIENT_URL,
  credentials: true,
});

server-side.

As j0nnymoe mentioned, this is related to the upstream project, and there are several discussions there regarding this.
E.g. coder/code-server#3240