soulsync/tests/test_auth_proxy.py
BoulderBadgeDad 86d0a0dd62 Security: trust a forward-auth proxy user header (Tier 3)
Lets SoulSync sit behind Authelia/Authentik/oauth2-proxy as the gatekeeper: when
security.auth_proxy_header names a header (e.g. Remote-User), a request carrying it
is treated as already-authenticated and passes the launch lock — the proxy did the
login (with 2FA).

- core/security/auth_proxy.py: trusted_proxy_user(get_header, header_name) — returns
  the user iff the configured header is present + non-empty; empty header name (the
  default) → always None → feature off.
- _enforce_launch_pin ORs it into pin_verified. OFF by default, so a direct install
  is unaffected AND a client-spoofed header does nothing unless the operator opted in.
- Doc'd in Support/REVERSE-PROXY.md with the must-strip-client-headers warning.

This is the lightweight Tier 3 (auth-proxy integration), not a full per-user login —
the proxy owns identity; SoulSync trusts it.

Tests: helper off/on/blank/exception-safe; integration — trusted header passes the
gate, no header is locked, and (the safety pin) a spoofed header is IGNORED when the
feature is off. 6 tests pass.
2026-06-10 20:57:48 -07:00

31 lines
1.1 KiB
Python

"""Forward-auth proxy header trust (Tier 3): OFF by default → no-op; when the
operator configures a header, a request carrying it is treated as authenticated."""
from __future__ import annotations
from core.security.auth_proxy import trusted_proxy_user
def _headers(d):
return lambda name: d.get(name)
def test_off_when_no_header_configured():
# empty header name → feature disabled → always None (direct install unaffected)
assert trusted_proxy_user(_headers({'Remote-User': 'alice'}), '') is None
assert trusted_proxy_user(_headers({'Remote-User': 'alice'}), None) is None
def test_returns_user_when_header_present():
assert trusted_proxy_user(_headers({'Remote-User': 'alice'}), 'Remote-User') == 'alice'
def test_none_when_configured_header_absent_or_blank():
assert trusted_proxy_user(_headers({}), 'Remote-User') is None
assert trusted_proxy_user(_headers({'Remote-User': ' '}), 'Remote-User') is None
def test_get_header_exception_is_safe():
def boom(_name):
raise RuntimeError('header lookup blew up')
assert trusted_proxy_user(boom, 'Remote-User') is None