Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support for forwardAuth #580

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

feat: support for forwardAuth #580

wants to merge 2 commits into from

Conversation

Janhouse
Copy link

@Janhouse Janhouse commented Nov 28, 2023
edited
Loading

Description

Add support for forwardAuth available with nginx, caddy, traefik, etc. which allows use of SSO without exposing any jellyseerr services to unauthenticated users.

Inspired by similar PR in overseer but slightly simplified, requiring existing user to authenticate.

To-Dos

  • Successful build yarn build

@Janhouse Janhouse requested a review from gauthier-th as a code owner October 5, 2024 12:39
@github-actions github-actions bot added the merge conflict Cannot merge due to merge conflicts label Oct 16, 2024
@github-actions GitHub Actions
Copy link

This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.

@github-actions github-actions bot removed the merge conflict Cannot merge due to merge conflicts label Oct 17, 2024
gauthier-th
gauthier-th requested changes Nov 20, 2024
View reviewed changes
Copy link
Collaborator

@gauthier-th gauthier-th left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add a bit of documentation for this?

gauthier-th
gauthier-th requested changes Nov 21, 2024
View reviewed changes
docs/extending-jellyseerr/forward-auth.md

This works by passing the authenticated user e-mail in `X-Forwarded-User` header by the auth server, therefore enabling single-sign-on (SSO) login.

> The user has to exist, it will not be created automatically.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably better to use a warning instead of a citation.

Suggested change
> The user has to exist, it will not be created automatically.
:::warning
The user has to exist, it will not be created automatically.
:::

server/middleware/auth.ts
Comment on lines +30 to +36
if (user) {
req.user = user;
}

req.locale = user?.settings?.locale
? user.settings.locale
: settings.main.locale;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not necessary, it's a duplicate from below.

overseerr-api.yml
Comment on lines +190 to +192
enableForwardAuth:
type: boolean
example: true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You wrote the setting here, but it is not available anywhere.

You should add this as a general setting, by adding a new properties in the MainSettings type in server/lib/settings.ts and adding a new input in the settings page in src/components/Settings/SettingsMain/index.tsx. You should also check that this setting is enabled before allowing login with forwardAuth.

Or did you intend to not make a setting and set it enabled by default?

overseerr-api.yml
@@ -6939,3 +6947,4 @@ paths:
security:
- cookieAuth: []
- apiKey: []
- forwardAuth: []
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not in the OpenAPI spec?
https://spec.openapis.org/oas/latest.html#security-scheme-object-0

src/utils/localRequestHelper.ts
import type { GetServerSidePropsContext, PreviewData } from 'next/types';
import type { ParsedUrlQuery } from 'querystring';

export const getRequestHeaders = (
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this function be called something like getAuthHeaders instead of getRequestHeaders?

src/utils/localRequestHelper.ts
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wdyt about renaming this file to something like serverSidePropsHelpers?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gauthier-th gauthier-th gauthier-th requested changes

@Fallenbagel Fallenbagel Awaiting requested review from Fallenbagel Fallenbagel is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Janhouse @gauthier-th