Merge pull request #552 from ajgon/feat/forward-auth

Support for forward auth
2023-09-26 09:04:34 +07:00 · 2023-09-26 09:04:34 +07:00 · 6bd06f61cf
parent 515b724047 6a83756fb4
commit 6bd06f61cf
4 changed files with 43 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -58,6 +58,9 @@ Take a look at the example [docker-compose.yml](https://github.com/tubearchivist
 | TZ | Set your timezone for the scheduler | Required |
 | TA_PORT | Overwrite Nginx port | Optional |
 | TA_UWSGI_PORT | Overwrite container internal uwsgi port | Optional |
+| TA_ENABLE_AUTH_PROXY | Enables support for forwarding auth in reverse proxies | [Read more](https://docs.tubearchivist.com/configuration/forward-auth/) |
+| TA_AUTH_PROXY_USERNAME_HEADER | Header containing username to log in | Optional |
+| TA_AUTH_PROXY_LOGOUT_URL | Logout URL for forwarded auth | Opttional |
 | ES_URL | URL That ElasticSearch runs on | Optional |
 | ES_DISABLE_VERIFY_SSL | Disable ElasticSearch SSL certificate verification | Optional |
 | ES_SNAPSHOT_DIR | Custom path where elastic search stores snapshots for master/data nodes | Optional |
--- a/tubearchivist/config/settings.py
+++ b/tubearchivist/config/settings.py
@ -175,7 +175,6 @@ if bool(environ.get("TA_LDAP")):
            ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
        }

-    global AUTHENTICATION_BACKENDS
    AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",)

 # Database
@ -211,6 +210,19 @@ AUTH_PASSWORD_VALIDATORS = [

 AUTH_USER_MODEL = "home.Account"

+# Forward-auth authentication
+if bool(environ.get("TA_ENABLE_AUTH_PROXY")):
+    TA_AUTH_PROXY_USERNAME_HEADER = (
+        environ.get("TA_AUTH_PROXY_USERNAME_HEADER") or "HTTP_REMOTE_USER"
+    )
+    TA_AUTH_PROXY_LOGOUT_URL = environ.get("TA_AUTH_PROXY_LOGOUT_URL")
+
+    MIDDLEWARE.append("home.src.ta.auth.HttpRemoteUserMiddleware")
+
+    AUTHENTICATION_BACKENDS = (
+        "django.contrib.auth.backends.RemoteUserBackend",
+    )
+

 # Internationalization
 # https://docs.djangoproject.com/en/3.2/topics/i18n/
--- a/tubearchivist/home/src/ta/auth.py
+++ b/tubearchivist/home/src/ta/auth.py
@ -0,0 +1,10 @@
+from django.conf import settings
+from django.contrib.auth.middleware import PersistentRemoteUserMiddleware
+
+
+class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
+    """This class allows authentication via HTTP_REMOTE_USER which is set for
+    example by certain SSO applications.
+    """
+
+    header = settings.TA_AUTH_PROXY_USERNAME_HEADER
--- a/tubearchivist/home/urls.py
+++ b/tubearchivist/home/urls.py
@ -3,18 +3,30 @@
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.views import LogoutView
+from django.shortcuts import redirect
 from django.urls import path
 from home import views

-urlpatterns = [
-    path("", login_required(views.HomeView.as_view()), name="home"),
-    path("login/", views.LoginView.as_view(), name="login"),
-    path(
+if hasattr(settings, "TA_AUTH_PROXY_LOGOUT_URL"):
+    logout_path = path(
+        "logout/",
+        lambda request: redirect(
+            settings.TA_AUTH_PROXY_LOGOUT_URL, permanent=False
+        ),
+        name="logout",
+    )
+else:
+    logout_path = path(
        "logout/",
        LogoutView.as_view(),
        {"next_page": settings.LOGOUT_REDIRECT_URL},
        name="logout",
-    ),
+    )
+
+urlpatterns = [
+    path("", login_required(views.HomeView.as_view()), name="home"),
+    path("login/", views.LoginView.as_view(), name="login"),
+    logout_path,
    path("about/", views.AboutView.as_view(), name="about"),
    path(
        "downloads/",