Auto login with Authelia

2026-01-23 13:41:39 +01:00
parent 877ecf32b4
commit 3d11470f81
3 changed files with 53 additions and 45 deletions
--- a/app.py
+++ b/app.py
@@ -171,40 +171,35 @@ def login_required(f):

@app.route('/login', methods=['GET', 'POST'])
 def login():
-    """Login page"""
-    # First, try Authelia authentication
-    authelia_user = get_authelia_user()
+    """Login page or JSON login endpoint"""
    
-    # Debug logging for all requests
-    if app.debug:
-        logger.info(f"Login route: method={request.method}, headers={dict(request.headers)}")
-    
-    # If Authelia authenticated, login and redirect to index
-    if authelia_user:
-        logger.info(f"Login via Authelia for user: {authelia_user}")
-        session.clear()
-        session.permanent = True
-        session['logged_in'] = True
-        session['authelia_user'] = authelia_user
-        session['user_token'] = secrets.token_urlsafe(32)
-        session['auth_method'] = 'authelia'
-        session.modified = True
+    # Auto-login when ENABLE_PROXY=true and Authelia headers are present
+    if ENABLE_PROXY:
+        authelia_user = get_authelia_user()
        
-        # Set a cookie manually to ensure it's properly formatted for Zoraxy
-        response = redirect(url_for('index'))
-        # Set cookie parameters to work with Zoraxy/Authelia
-        response.set_cookie(
-            key=app.config['SESSION_COOKIE_NAME'],
-            value=secrets.token_urlsafe(32),  # Generate a new token instead of using session.sid
-            max_age=int(app.config['PERMANENT_SESSION_LIFETIME'].total_seconds()),
-            path=app.config['SESSION_COOKIE_PATH'],
-            secure=app.config['SESSION_COOKIE_SECURE'],
-            httponly=app.config['SESSION_COOKIE_HTTPONLY'],
-            samesite='None'
-        )
-        return response
+        if authelia_user:
+            # User authenticated by Authelia - auto-login
+            if not session.get('logged_in'):
+                logger.info(f"🔐 Auto-login: User '{authelia_user}' authenticated by Authelia")
+                session.clear()
+                session.permanent = True
+                session['logged_in'] = True
+                session['user_token'] = secrets.token_urlsafe(32)
+                session['auth_method'] = 'authelia'
+                session['authelia_user'] = authelia_user
+                session.modified = True
+                
+                # Get additional Authelia info if available
+                session['remote_email'] = request.headers.get('Remote-Email', '')
+                session['remote_name'] = request.headers.get('Remote-Name', '')
+                session['remote_groups'] = request.headers.get('Remote-Groups', '')
+                
+                logger.info(f"✅ Auto-login successful: {authelia_user} ({session.get('remote_email', 'no email')})")
+            
+            # Already logged in via Authelia - redirect to main page
+            return redirect(url_for('index'))
    
-    # Handle form submission for local authentication
+    # Handle form submission for local authentication (only when ENABLE_PROXY=false)
    if request.method == 'POST':
        password = request.json.get('password', '')
        logger.info("Login attempt with password (redacted)")
@@ -286,20 +281,28 @@ def logout():
@app.route('/')
 def index():
    """Main page - requires login"""
-    # Try to auto-login with Authelia
-    authelia_user = get_authelia_user()
-    
-    if authelia_user and not session.get('logged_in'):
-        # Auto-login for users authenticated by Authelia
-        logger.info(f"Auto-login via Authelia for user: {authelia_user}")
-        session.clear()
-        session.permanent = True
-        session['logged_in'] = True
-        session['authelia_user'] = authelia_user
-        session['user_token'] = secrets.token_urlsafe(32)
-        session['auth_method'] = 'authelia'
-        session.modified = True
-        return render_template('index.html')
+    # Auto-login with Authelia (only when ENABLE_PROXY=true)
+    if ENABLE_PROXY:
+        authelia_user = get_authelia_user()
+        
+        if authelia_user and not session.get('logged_in'):
+            # Auto-login for users authenticated by Authelia
+            logger.info(f"🔐 Auto-login via Authelia for user: {authelia_user}")
+            session.clear()
+            session.permanent = True
+            session['logged_in'] = True
+            session['authelia_user'] = authelia_user
+            session['user_token'] = secrets.token_urlsafe(32)
+            session['auth_method'] = 'authelia'
+            session.modified = True
+            
+            # Store additional Authelia info
+            session['remote_email'] = request.headers.get('Remote-Email', '')
+            session['remote_name'] = request.headers.get('Remote-Name', '')
+            session['remote_groups'] = request.headers.get('Remote-Groups', '')
+            
+            logger.info(f"✅ Auto-login successful: {authelia_user} ({session.get('remote_email', 'no email')})")
+            return render_template('index.html')
    
    # Check if logged in
    if not session.get('logged_in'):