Lets SoulSync sit behind Authelia/Authentik/oauth2-proxy as the gatekeeper: when security.auth_proxy_header names a header (e.g. Remote-User), a request carrying it is treated as already-authenticated and passes the launch lock — the proxy did the login (with 2FA). - core/security/auth_proxy.py: trusted_proxy_user(get_header, header_name) — returns the user iff the configured header is present + non-empty; empty header name (the default) → always None → feature off. - _enforce_launch_pin ORs it into pin_verified. OFF by default, so a direct install is unaffected AND a client-spoofed header does nothing unless the operator opted in. - Doc'd in Support/REVERSE-PROXY.md with the must-strip-client-headers warning. This is the lightweight Tier 3 (auth-proxy integration), not a full per-user login — the proxy owns identity; SoulSync trusts it. Tests: helper off/on/blank/exception-safe; integration — trusted header passes the gate, no header is locked, and (the safety pin) a spoofed header is IGNORED when the feature is off. 6 tests pass. |
||
|---|---|---|
| .. | ||
| API.md | ||
| AUTOMATIONS.md | ||
| DOCKER-OAUTH-FIX.md | ||
| DOCKER-TRANSFER-GUIDE.md | ||
| DOCKER.md | ||
| DOCKER_PERMISSIONS.md | ||
| IMPORT-STAGING-GUIDE.md | ||
| METADATA-FALLBACK-IMPLEMENTATION.md | ||
| README-Docker.md | ||
| REVERSE-PROXY.md | ||
| UNRAID.md | ||