Flatpak's repo protocol does not foresee Basic auth. So, flatpak doesn't have that implemented, and you just can't.
However, you can implement authentication. That requires two things:
- you convince your web server to, instead of
Basic auth, to support Bearer auth (which is just sending an Authorization: Bearer Secret_Token. header instead of an Authorization: Basic … header, so chances are this is supported by your infrastructure with little configuration; otherwise, you need to configure an auth server in your nginx/apache2/… and set that up to accept the tokens you give out.)
- You write a small program, package it as flatpak application. That program implements the
org.freedesktop.Flatpak.Authenticator D-Bus API, meaning that it has the single method RequestRefTokens; an (imho overly complete) example exists here; you'd instead just read the Bearer token from a file owned by the executing user, and returns it wrapped in an AuthenticatorRequest that emits a Response. (yeah, it's complicated, sorry.)
Alternatively, you use the default web-flow authenticator, which needs you to add the URL of an OAuth frontend to be part of your repo metadata, and returns the token gotten that way. But that requires you to set up OAuth infrastructure. Did that once, hm, might not be what you want to do with your time.
it’s unsafe because every user can see credentials by calling remotes command.
That's not the problem, because you can have per-user remotes!
You could hence also just go for separate, secret URIs for the repos, which is exactly as secure as HTTP Basic or Bearer auth: The secret is part of the HTTP request.
