soulsync/Support
BoulderBadgeDad 86d0a0dd62 Security: trust a forward-auth proxy user header (Tier 3)
Lets SoulSync sit behind Authelia/Authentik/oauth2-proxy as the gatekeeper: when
security.auth_proxy_header names a header (e.g. Remote-User), a request carrying it
is treated as already-authenticated and passes the launch lock — the proxy did the
login (with 2FA).

- core/security/auth_proxy.py: trusted_proxy_user(get_header, header_name) — returns
  the user iff the configured header is present + non-empty; empty header name (the
  default) → always None → feature off.
- _enforce_launch_pin ORs it into pin_verified. OFF by default, so a direct install
  is unaffected AND a client-spoofed header does nothing unless the operator opted in.
- Doc'd in Support/REVERSE-PROXY.md with the must-strip-client-headers warning.

This is the lightweight Tier 3 (auth-proxy integration), not a full per-user login —
the proxy owns identity; SoulSync trusts it.

Tests: helper off/on/blank/exception-safe; integration — trusted header passes the
gate, no header is locked, and (the safety pin) a spoofed header is IGNORED when the
feature is off. 6 tests pass.
2026-06-10 20:57:48 -07:00
..
API.md Update API.md 2026-03-04 14:13:22 -08:00
AUTOMATIONS.md update readme and include automation docs 2026-03-05 18:45:00 -08:00
DOCKER-OAUTH-FIX.md Reverse proxy fix 2026-03-03 12:04:53 -08:00
DOCKER-TRANSFER-GUIDE.md organization 2026-01-27 12:23:19 -08:00
DOCKER.md organization 2026-01-27 12:23:19 -08:00
DOCKER_PERMISSIONS.md organization 2026-01-27 12:23:19 -08:00
IMPORT-STAGING-GUIDE.md Create IMPORT-STAGING-GUIDE.md 2026-03-01 16:53:40 -08:00
METADATA-FALLBACK-IMPLEMENTATION.md organization 2026-01-27 12:23:19 -08:00
README-Docker.md Document dev/nightly release channels and contributor workflow 2026-04-21 14:40:24 -07:00
REVERSE-PROXY.md Security: trust a forward-auth proxy user header (Tier 3) 2026-06-10 20:57:48 -07:00
UNRAID.md organization 2026-01-27 12:23:19 -08:00