wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2025-12-26 06:40:53 +08:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity
b5604df442
ComfyUI/AUTHENTICATION_GUIDE.md
daverbj c5ad1381bf Add complete authentication system with documentation 
- Frontend authentication with login page (auth_login.html)
- API key injection script (auth_inject.js)
- Session management (localStorage/sessionStorage)
- Logout via URL: http://127.0.0.1:8188/auth_login.html?logout=true
- Modified server.py to inject auth scripts into index.html
- Added comprehensive documentation:
  * AUTHENTICATION_GUIDE.md - Complete authentication guide
  * FRONTEND_AUTH_GUIDE.md - Frontend-specific guide
- Health endpoint accessible without authentication
- Multiple auth methods: Bearer token, X-API-Key header, query parameter
2025-12-11 15:49:23 +03:00

273 lines
6.7 KiB
Markdown
Raw Blame History

# ComfyUI API Authentication Guide
## Overview
ComfyUI now supports API key authentication to protect your REST API endpoints. This guide covers setup, usage, and logout procedures.
## Features
- **API Key Authentication**: Protect all API endpoints with a simple API key
- **Multiple Auth Methods**: Bearer token, X-API-Key header, or query parameter
- **Health Endpoint**: Monitor server status without authentication
- **Frontend Login**: Built-in login page for browser access
- **Session Management**: Remember API key across sessions or per-session only
## Quick Start
### 1. Start Server with API Key
```bash
# Using command line argument
python3 main.py --api-key "your-secure-api-key-here"
# Or using a file (recommended for production)
echo "your-secure-api-key-here" > api_key.txt
python3 main.py --api-key-file api_key.txt
```
### 2. Access ComfyUI
When you navigate to `http://127.0.0.1:8188`, you'll be redirected to a login page.
### 3. Login
1. Enter your API key in the password field
2. Optionally check "Remember me" to persist the key across browser sessions
3. Click "Login"
The system validates your key against the `/health` endpoint before storing it.
### 4. Logout
To logout, visit:
```
http://127.0.0.1:8188/auth_login.html?logout=true
```
This will clear your stored API key and redirect you to the login page.
## API Usage
### Authentication Methods
You can authenticate API requests in three ways:
#### 1. Bearer Token (Recommended)
```bash
curl -H "Authorization: Bearer your-api-key" http://127.0.0.1:8188/prompt
```
#### 2. X-API-Key Header
```bash
curl -H "X-API-Key: your-api-key" http://127.0.0.1:8188/prompt
```
#### 3. Query Parameter
```bash
curl "http://127.0.0.1:8188/prompt?api_key=your-api-key"
```
### Python Example
```python
import requests
API_KEY = "your-api-key"
BASE_URL = "http://127.0.0.1:8188"
# Using Bearer token
headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/queue", headers=headers)
# Using X-API-Key header
headers = {"X-API-Key": API_KEY}
response = requests.get(f"{BASE_URL}/queue", headers=headers)
# Using query parameter
response = requests.get(f"{BASE_URL}/queue?api_key={API_KEY}")
```
### JavaScript Example
```javascript
const API_KEY = "your-api-key";
const BASE_URL = "http://127.0.0.1:8188";
// Using Bearer token
fetch(`${BASE_URL}/queue`, {
headers: {
"Authorization": `Bearer ${API_KEY}`
}
})
.then(response => response.json())
.then(data => console.log(data));
```
## Health Endpoint
The `/health` endpoint is always accessible without authentication:
```bash
curl http://127.0.0.1:8188/health
```
Response includes:
- Server status
- Queue information (pending/running tasks)
- Device information (GPU/CPU)
- VRAM statistics
Example response:
```json
{
"status": "ok",
"queue": {
"pending": 0,
"running": 0
},
"device": {
"name": "mps",
"type": "mps"
},
"vram": {
"total": 68719476736,
"free": 68719476736
}
}
```
## Exempt Endpoints
The following paths are exempt from authentication:
### Static Files
- `.html`, `.js`, `.css`, `.json` files
- `.png`, `.jpg`, `.jpeg`, `.gif`, `.webp` images
- `.svg`, `.ico` icons
- `.woff`, `.woff2`, `.ttf` fonts
- `.mp3`, `.wav` audio files
- `.mp4`, `.webm` video files
### API Paths
- `/` - Root path (serves login if not authenticated)
- `/health` - Health check endpoint
- `/ws` - WebSocket endpoint
- `/auth_login.html` - Login page
- `/auth_inject.js` - Auth injection script
- `/extensions/*` - Extension files
- `/templates/*` - Template files
- `/docs/*` - Documentation
## Security Best Practices
1. **Use Strong API Keys**: Generate random, long API keys (32+ characters)
```bash
# Generate secure API key on macOS/Linux
openssl rand -base64 32
```
2. **Use API Key Files**: Store keys in files rather than command line
```bash
python3 main.py --api-key-file /secure/path/api_key.txt
```
3. **File Permissions**: Restrict key file access
```bash
chmod 600 api_key.txt
```
4. **HTTPS**: Use reverse proxy with SSL in production
```nginx
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://127.0.0.1:8188;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
5. **Environment Variables**: Store keys in environment
```bash
export COMFYUI_API_KEY=$(cat api_key.txt)
python3 main.py --api-key "$COMFYUI_API_KEY"
```
## Frontend Integration
The authentication system automatically handles frontend requests:
1. When authentication is enabled, `auth_inject.js` is injected into `index.html`
2. This script intercepts all `fetch()` and `XMLHttpRequest` calls
3. Authorization headers are added automatically to all requests
4. On 401 responses, the user is redirected to the login page
### Session Storage
- **localStorage**: API key persists across browser sessions (when "Remember me" is checked)
- **sessionStorage**: API key cleared when browser/tab closes (when "Remember me" is not checked)
## Troubleshooting
### 401 Unauthorized Errors
1. Verify API key matches server configuration
2. Check authentication header format
3. Ensure endpoint isn't expecting different auth method
### Login Page Not Appearing
1. Clear browser cache
2. Verify `auth_login.html` and `auth_inject.js` exist in ComfyUI root
3. Check server logs for errors
### WebSocket Connection Issues
WebSocket connections (`/ws`) are exempt from authentication, but may require authentication for initial HTTP upgrade depending on your setup.
### Logout Not Working
Visit the logout URL directly:
```
http://127.0.0.1:8188/auth_login.html?logout=true
```
Or clear storage manually in browser DevTools:
```javascript
localStorage.removeItem('comfyui_api_key');
sessionStorage.removeItem('comfyui_api_key');
```
## Disabling Authentication
To disable authentication, simply start the server without the `--api-key` or `--api-key-file` arguments:
```bash
python3 main.py
```
## Migration from Unauthenticated Setup
If you're adding authentication to an existing ComfyUI installation:
1. Ensure `auth_login.html` and `auth_inject.js` exist in root directory
2. Update `server.py` with authentication routes
3. Add `middleware/auth_middleware.py`
4. Update `comfy/cli_args.py` with API key arguments
5. Restart server with `--api-key` argument
6. Update API clients to include authentication
## Support
For issues or questions:
- Check server logs for authentication errors
- Verify middleware is properly configured
- Test with `/health` endpoint first (no auth required)
- Review `middleware/auth_middleware.py` for exempt paths
Reference in New Issue View Git Blame Copy Permalink