How to force flatpak to ask for a password

By default, flatpak polkit rules do not require a password. You can however set up rules to require one.

Ubuntu/Debian derivatives (policykit < 0.106)

Create a new file named flatpak‑sudo‑always‑password.pkla in /⁠etc⁠/⁠polkit‑1⁠/⁠localauthority⁠/⁠50‑local.d⁠/

[Install Flatpak apps and runtimes]
Identity=unix-group:sudo
Action=org.freedesktop.Flatpak.app-install;org.freedesktop.Flatpak.runtime-install;org.freedesktop.Flatpak.app-uninstall;org.freedesktop.Flatpak.runtime-uninstall;
ResultActive=auth_admin

Any distro with policykit >= 0.106

Create a new file named 01‑flatpak‑sudo‑always‑password.rules in /⁠etc⁠/⁠polkit‑1⁠/⁠rules.d⁠⁠⁠/

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall") &&
         subject.active == true && subject.local == true &&
         subject.isInGroup("sudo")) {
            return polkit.Result.AUTH_ADMIN;
    }

    return polkit.Result.NOT_HANDLED;
});

These are direct reversions of the policykit rules which flatpak installs.

The org.freedesktop.Flatpak.modify-repo permission was removed (enabled for all users by default), org.freedesktop.Flatpak.override-parental-controls was removed (not applicable), and the returned policykit authorization type changed from yes back to auth_admin. (polkit manual on auth types)

The .rules file was made by flatpak, and the .pkla file by Debian, based on flatpak's .rules file. Debian is not upgrading policykit beyond 0.105 for now, so they backported the .rules to the old system.

Original .rules file - - - Original .pkla file

You may want to consider using auth_admin_keep instead, if you don't want to be asked for your password for each flatpak and each runtime in one command.