Q1. What is the problem that you are trying to solve?
Many users are trying to secure the access to their Passbolt instance behind the free “Cloudflare Tunnel” service. You can set up Cloudflare Tunnel so that you can only access your passbolt instance after you are authenticated using the Cloudflare login page (e.g. using a one time code sent via email).
The Passbolt mobile app does not like this page in front of it. But Cloudflare offers you to authenticate using so called “Service tokens”. If you set it up on your Cloudflare dashboard, you can use a combination of “CF-Access-Client-Id” and “CF-Access-Client-Secret” sent as requests headers to authenticate and effectively bypass the Cloudflare “Log in using your email”-page.
If we as admins could setup custom request headers for our self-hosted Passbolt instances, many users would profit from the added security from Cloudflare.
Q2 - Who is impacted?
There are several people who have tried this. Just search for “Cloudflare” in this forum. Or search for “Cloudflare+passbolt” on Google, DuckDuckGo, etc.
Also, it seems very common that people use Cloudflare Tunnel nowadays in their homelab. Almost every video on YouTube that tells you how to install Passbolt in your homelab is using Cloudflare Tunnel.
Q3 - Why is it important and/or urgent?
Other password managers do not offer the setting of custom request headers in their mobile apps. Users are waiting for a solution to the mobile passbolt app behind a Cloudflare Tunnel with Authentication for a long time already.
Q4 - What is your proposed solution? (optional)
- As an admin, I want to be able to set custom request headers (e.g. a simple text input field) in the mobile (iOS/Android) Passbolt app to be able to use services like “Service auth/token” from Cloudflare Tunnel.
- Test scenario: When sending “CF-Access-Client-Id” and “CF-Access-Client-Secret” as headers to a self-hosted Passbolt server behind a secured Cloudflare Tunnel, the user should be able to login to their Passbolt instance.
- The use of custom request headers for services like Cloudflare Tunnel is implemented in services like “Uptime Kuma” as a simple text field that is sent as a header in every request.
Q5. Community support
Apparently, I am not allowed to create polls but please comment if you are interested in this feature so that the Passbolt developers can see this.