Add API authentication with browser-accessible credential passing #145
Description
Background
Users report being unable to access the ActivityWatch server from a browser on Android (issue #143). Part of this is expected behavior (server only listens on localhost), but we also want to add API authentication by default on Android.
Goals
Per discussion in #143:
- Add API authentication enabled by default on the Android server
- Compatible clients using
aw-clientoraw-client-rustshould "just work" once they use recent versions - Users accessing via browser should have a path that works
Proposed Solutions
Option 1: Setting to disable authentication
Add a settings toggle "Require API authentication" (default: on). When turned off, the server accepts unauthenticated requests (useful for trusted local network setups).
Option 2: "Open in browser" link with credentials
Add an "Open in browser" button/link in the Android app that opens the browser with credentials passed along (e.g., via a token in the URL, or by launching a localhost URL that auto-authenticates the session).
Both options are not mutually exclusive — we could implement both.
Related
- Related to aw-tauri: the same authentication approach should apply there too
- Clients using
aw-client/aw-client-rustshould automatically handle auth - Issue Unable to import/export settings on Android 13 #101 (related server access issue)
- Context: Exporting and server not working #143 (comment)
Implementation Notes
The server-side authentication would live in aw-server or aw-server-rust. The Android app would need to:
- Generate/store an API token at first launch
- Configure the server to require this token
- Provide UX for users to access the web interface (the "open in browser" approach)
cc @ErikBjare