Implement support for authentication via Auth Proxy

Auth Proxy allows to authenticate a user using an HTTP header provided by an external authentication service. This provides a way to authenticate users in miniflux using authentication schemes not supported by miniflux itself (LDAP, non-Google OAuth2 providers, etc.) and to implement SSO for multiple applications behind single authentication service. Auth Proxy header is checked for the '/' endpoint only, as the rest are protected by the miniflux user/app sessions. Closes #534 Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2025-09-15 18:57:04 +00:00 · 2020-01-29 13:45:59 +03:00 · 2020-01-29 13:45:59 +03:00 · 7389c79c52
commit 7389c79c52
parent d5adf8b9f6
5 changed files with 159 additions and 1 deletions
--- a/config/options.go
+++ b/config/options.go
@ -44,6 +44,8 @@ const (
 	defaultPocketConsumerKey         = ""
 	defaultHTTPClientTimeout         = 20
 	defaultHTTPClientMaxBodySize     = 15
+	defaultAuthProxyHeader           = ""
+	defaultAuthProxyUserCreation     = false
 )

 // Options contains configuration options.
@ -82,6 +84,8 @@ type Options struct {
 	pocketConsumerKey         string
 	httpClientTimeout         int
 	httpClientMaxBodySize     int64
+	authProxyHeader           string
+	authProxyUserCreation     bool
 }

 // NewOptions returns Options with default values.
@ -121,6 +125,8 @@ func NewOptions() *Options {
 		pocketConsumerKey:         defaultPocketConsumerKey,
 		httpClientTimeout:         defaultHTTPClientTimeout,
 		httpClientMaxBodySize:     defaultHTTPClientMaxBodySize * 1024 * 1024,
+		authProxyHeader:           defaultAuthProxyHeader,
+		authProxyUserCreation:     defaultAuthProxyUserCreation,
 	}
 }

@ -297,6 +303,18 @@ func (o *Options) HTTPClientMaxBodySize() int64 {
 	return o.httpClientMaxBodySize
 }

+// AuthProxyHeader returns an HTTP header name that contains username for
+// authentication using auth proxy.
+func (o *Options) AuthProxyHeader() string {
+	return o.authProxyHeader
+}
+
+// IsAuthProxyUserCreationAllowed returns true if user creation is allowed for
+// users authenticated using auth proxy.
+func (o *Options) IsAuthProxyUserCreationAllowed() bool {
+	return o.authProxyUserCreation
+}
+
 func (o *Options) String() string {
 	var builder strings.Builder
 	builder.WriteString(fmt.Sprintf("LOG_DATE_TIME: %v\n", o.logDateTime))
@ -333,5 +351,7 @@ func (o *Options) String() string {
 	builder.WriteString(fmt.Sprintf("OAUTH2_PROVIDER: %v\n", o.oauth2Provider))
 	builder.WriteString(fmt.Sprintf("HTTP_CLIENT_TIMEOUT: %v\n", o.httpClientTimeout))
 	builder.WriteString(fmt.Sprintf("HTTP_CLIENT_MAX_BODY_SIZE: %v\n", o.httpClientMaxBodySize))
+	builder.WriteString(fmt.Sprintf("AUTH_PROXY_HEADER: %v\n", o.authProxyHeader))
+	builder.WriteString(fmt.Sprintf("AUTH_PROXY_USER_CREATION: %v\n", o.authProxyUserCreation))
 	return builder.String()
 }