Auto login with Authelia

.gitignore

@@ -14,4 +14,5 @@ BUI*
 build.sh
 docker-compose.dist*
 GITEA.md
-PROXY_AUTHELIA_SETUP.md
+PROXY_AUTHELIA_SETUP.md
+alias.rune.pm.config

app.py

@@ -100,12 +100,12 @@ def after_request(response):
     return response
 
 def get_authelia_user():
-    """Helper to get authenticated user from Authelia headers"""
+    """Helper to get authenticated user from Authelia headers or session cookie"""
-    # Check several possible header variations
+    # Check several possible header variations (ORDER MATTERS - most specific first!)
     auth_headers = [
-        'Remote-User',
+        'X-Authelia-Username',      # Authelia standard header (used by Zoraxy)
+        'Remote-User',               # Common standard
         'X-Remote-User',
-        'X-Authelia-Username', 
         'X-Forwarded-User',
         'REMOTE_USER',
         'Http-Remote-User',
@@ -132,6 +132,19 @@ def get_authelia_user():
         except:
             pass
     
+    # WORKAROUND: If Authelia session cookie exists and we're coming from auth.rune.pm,
+    # assume user is authenticated (Authelia not forwarding headers properly)
+    if ENABLE_PROXY and 'authelia_session' in request.cookies:
+        referer = request.headers.get('Referer', '')
+        if 'auth.rune.pm' in referer or request.headers.get('X-Forwarded-Proto') == 'https':
+            # Valid Authelia session exists - assume authenticated
+            # Use a generic identifier since we don't have the actual username
+            pseudo_user = f"authelia_user_{request.cookies.get('authelia_session')[:8]}"
+            logger.info(f"✅ Authelia authentication detected via session cookie (headers not forwarded)")
+            logger.info(f"   Using pseudo-user identifier: {pseudo_user}")
+            logger.info(f"   NOTE: Configure Authelia to forward Remote-User header for proper username")
+            return pseudo_user
+    
     # Log when no Authelia user found (for debugging)
     if ENABLE_PROXY:
         logger.debug("⚠️  No Authelia headers found in request")
@@ -159,10 +172,13 @@ def login_required(f):
                     session['auth_method'] = 'authelia'
                     session.modified = True
                     
-                    # Store additional info
+                    # Store additional info (check both Remote-* and X-Authelia-* headers)
-                    session['remote_email'] = request.headers.get('Remote-Email', '')
+                    session['remote_email'] = (request.headers.get('X-Authelia-Email') or 
-                    session['remote_name'] = request.headers.get('Remote-Name', '')
+                                              request.headers.get('Remote-Email', ''))
-                    session['remote_groups'] = request.headers.get('Remote-Groups', '')
+                    session['remote_name'] = (request.headers.get('X-Authelia-DisplayName') or 
+                                             request.headers.get('Remote-Name', ''))
+                    session['remote_groups'] = (request.headers.get('X-Authelia-Groups') or 
+                                               request.headers.get('Remote-Groups', ''))
                     
                     logger.info(f"✅ Auto-login in API route: {authelia_user}")
                     
@@ -210,10 +226,13 @@ def login():
                 session['authelia_user'] = authelia_user
                 session.modified = True
                 
-                # Get additional Authelia info if available
+                # Get additional Authelia info (check both Remote-* and X-Authelia-* headers)
-                session['remote_email'] = request.headers.get('Remote-Email', '')
+                session['remote_email'] = (request.headers.get('X-Authelia-Email') or 
-                session['remote_name'] = request.headers.get('Remote-Name', '')
+                                          request.headers.get('Remote-Email', ''))
-                session['remote_groups'] = request.headers.get('Remote-Groups', '')
+                session['remote_name'] = (request.headers.get('X-Authelia-DisplayName') or 
+                                         request.headers.get('Remote-Name', ''))
+                session['remote_groups'] = (request.headers.get('X-Authelia-Groups') or 
+                                           request.headers.get('Remote-Groups', ''))
                 
                 logger.info(f"✅ Auto-login successful: {authelia_user} ({session.get('remote_email', 'no email')})")
             
@@ -322,10 +341,13 @@ def index():
             session['auth_method'] = 'authelia'
             session.modified = True
             
-            # Store additional Authelia info
+            # Store additional Authelia info (check both Remote-* and X-Authelia-* headers)
-            session['remote_email'] = request.headers.get('Remote-Email', '')
+            session['remote_email'] = (request.headers.get('X-Authelia-Email') or 
-            session['remote_name'] = request.headers.get('Remote-Name', '')
+                                      request.headers.get('Remote-Email', ''))
-            session['remote_groups'] = request.headers.get('Remote-Groups', '')
+            session['remote_name'] = (request.headers.get('X-Authelia-DisplayName') or 
+                                     request.headers.get('Remote-Name', ''))
+            session['remote_groups'] = (request.headers.get('X-Authelia-Groups') or 
+                                       request.headers.get('Remote-Groups', ''))
             
             logger.info(f"✅ Auto-login successful: {authelia_user} ({session.get('remote_email', 'no email')})")
             return render_template('index.html')