Allow usage of basic auth and user management at the same time

Feature Requests
1

Hello,

first of all thank you for your great piece of software. :smiley:

I have one small feature request and would appreciate your reply: At the moment, it does not seem to be possible to use basic auth and user management at the same time. However, I have a use case where very sensitive data is handled. Thus, I would love two have both authentification methods at the same time.

As a workaround I already setup basic auth using my webserver (Caddy) and turnt it off in n8n itself. This seems to work, however I am afraid some trigger nodes which use webhooks under the hood are not going to work properly since they do not add the basic auth credentials to the webhook.

Thank you for your reply.

2

Hi there,

Do not forget to vote.
Also I don’t understand the usecase.
Webhook auth and user auth have nothing to do with eachother if you run n8n “normally”

Could you explain a bit more on your usecase?

3

Hi BramKn,

the reason why I want both auth methods:

  • Basic auth
    Protects the whole directory before n8n can be accessed. Let’s say some day a major security hole is found in the n8n source code and allows guests to gain admin access via SQL injection or other means. They still would have to get past the basic auth.
  • User accounts
    User accounts are usually said to be more secure than basic auth. The reason is that basic auth credentials are sent with every single request leaving a larger attack surface than user passwords which are only sent once (the user session is then handled by a session ID etc.). Thus, I would appreciate that additional layer.
  • Webhooks
    You’re right, for webhooks user credentials are not required. I would set up access tokens here. Consequently, to use a webhook you would need basic auth + access token in my scenario. The basic auth information can be set in webhook URLs as follows: https://{User}:{Password}@n8n.domain.tld/webhook/{Webhook-ID}. However, I am afraid this will not be done for nodes that use webhooks “under the hood” when basic auth is set up externally (e. g. by Caddy).

I probably need to add that in my case n8n will only be used by a few administrators and not a wide range of “average” users.

Does the request make more sense now?

Thank you.

4

Soooo, you want to use them both at the same time for sorta a 2 factor auth?

5

Yes, exactly.

1 Like
6

I guess supporting the multi factor feature request would be a better idea then. :slight_smile:

7

There are a few differences, however:

  • 2FA provides a different type of protection (as described in my second post under basic auth).
  • This request is very easy to implement: Basic auth and user management already exist. However, it seems that the env variables N8N_BASIC_AUTH_ACTIVE, …_USER and …_PASSWORD are ignored once an owner account has been set-up (just like with the N8N_USER_MANAGEMENT_DISABLED node). All it would take is to change that behavior (which does not make sense to me since basic auth and user management are different topics).