Lets SoulSync sit behind Authelia/Authentik/oauth2-proxy as the gatekeeper: when security.auth_proxy_header names a header (e.g. Remote-User), a request carrying it is treated as already-authenticated and passes the launch lock — the proxy did the login (with 2FA). - core/security/auth_proxy.py: trusted_proxy_user(get_header, header_name) — returns the user iff the configured header is present + non-empty; empty header name (the default) → always None → feature off. - _enforce_launch_pin ORs it into pin_verified. OFF by default, so a direct install is unaffected AND a client-spoofed header does nothing unless the operator opted in. - Doc'd in Support/REVERSE-PROXY.md with the must-strip-client-headers warning. This is the lightweight Tier 3 (auth-proxy integration), not a full per-user login — the proxy owns identity; SoulSync trusts it. Tests: helper off/on/blank/exception-safe; integration — trusted header passes the gate, no header is locked, and (the safety pin) a spoofed header is IGNORED when the feature is off. 6 tests pass.
31 lines
1.1 KiB
Python
31 lines
1.1 KiB
Python
"""Forward-auth proxy header trust (Tier 3): OFF by default → no-op; when the
|
|
operator configures a header, a request carrying it is treated as authenticated."""
|
|
|
|
from __future__ import annotations
|
|
|
|
from core.security.auth_proxy import trusted_proxy_user
|
|
|
|
|
|
def _headers(d):
|
|
return lambda name: d.get(name)
|
|
|
|
|
|
def test_off_when_no_header_configured():
|
|
# empty header name → feature disabled → always None (direct install unaffected)
|
|
assert trusted_proxy_user(_headers({'Remote-User': 'alice'}), '') is None
|
|
assert trusted_proxy_user(_headers({'Remote-User': 'alice'}), None) is None
|
|
|
|
|
|
def test_returns_user_when_header_present():
|
|
assert trusted_proxy_user(_headers({'Remote-User': 'alice'}), 'Remote-User') == 'alice'
|
|
|
|
|
|
def test_none_when_configured_header_absent_or_blank():
|
|
assert trusted_proxy_user(_headers({}), 'Remote-User') is None
|
|
assert trusted_proxy_user(_headers({'Remote-User': ' '}), 'Remote-User') is None
|
|
|
|
|
|
def test_get_header_exception_is_safe():
|
|
def boom(_name):
|
|
raise RuntimeError('header lookup blew up')
|
|
assert trusted_proxy_user(boom, 'Remote-User') is None
|