Support Authentication via Token

[sigoden]

Design Proposal

• Allow the token to be included in either the query string (?token=<TOKEN>) or the request header (X-TOKEN: <TOKEN>).
• The token will take precedence over the standard authorization header. If the token authentication fails, the system will then fall back to using the authorization header for authentication.
• Each user will be assigned a unique token. The token will be refreshed every time the dufs service is restarted.

Why need this features

• Some clients are unable to download protected resources due to their limitations in handling Basic/Digest authentication (See issues Add an authorization token after the link #462 and 设置账户后 下载 401 安卓浏览器 #465).
• Solve the known compatibility problems associated with Basic/Digest authentication that can lead to unexpected errors (Refer to issue auth cannot remain in all path #510).
• The WebUI can store the token in local storage, enabling users to remain logged in even after restarting their browsers.

[fredleger]

or even better trough saml for great entreprise use cases

[leoneltrich]

I like the idea of tokens. Especially if it was a JWT! From a security standpoint, it would be great if the token was regenerated each time a user logs in using their password. I would use the Authentication header with Bearer for this. Especially with the possibility of JWT and the OAuth 2.0 standard in mind.