diff --git a/app.py b/app.py index 4a9ce6d..7484ce9 100644 --- a/app.py +++ b/app.py @@ -116,7 +116,7 @@ def get_authelia_user(): for header in auth_headers: user = request.headers.get(header) if user: - logger.info(f"Authelia user detected via {header}: {user}") + logger.info(f"✅ Authelia user detected via header '{header}': {user}") return user # Check Zoraxy forwarded headers (sometimes encoded differently) @@ -127,39 +127,48 @@ def get_authelia_user(): for header in auth_headers: if header in fwd_headers: user = fwd_headers[header] - logger.info(f"Authelia user detected via forwarded headers - {header}: {user}") + logger.info(f"✅ Authelia user detected via forwarded headers - {header}: {user}") return user except: pass + # Log when no Authelia user found (for debugging) + if ENABLE_PROXY: + logger.debug("⚠️ No Authelia headers found in request") + logger.debug(f"Available headers: {list(request.headers.keys())}") + return None def login_required(f): """Decorator to require login for routes""" @wraps(f) def decorated_function(*args, **kwargs): - # Check for Authelia authentication - authelia_user = get_authelia_user() + # Auto-login with Authelia (only when ENABLE_PROXY=true) + if ENABLE_PROXY: + authelia_user = get_authelia_user() + + # If Authelia authenticated the user, auto-login + if authelia_user: + if not session.get('logged_in') or session.get('authelia_user') != authelia_user: + logger.info(f"🔐 Auto-login via Authelia in API route: {authelia_user}") + session.clear() + session.permanent = True + session['logged_in'] = True + session['authelia_user'] = authelia_user + session['user_token'] = secrets.token_urlsafe(32) + session['auth_method'] = 'authelia' + session.modified = True + + # Store additional info + session['remote_email'] = request.headers.get('Remote-Email', '') + session['remote_name'] = request.headers.get('Remote-Name', '') + session['remote_groups'] = request.headers.get('Remote-Groups', '') + + logger.info(f"✅ Auto-login in API route: {authelia_user}") + + return f(*args, **kwargs) - # If Authelia authenticated the user, update local session - if authelia_user: - # Log all headers for debugging - if app.debug: - logger.info(f"Headers for authenticated request: {dict(request.headers)}") - - if not session.get('logged_in') or session.get('authelia_user') != authelia_user: - logger.info(f"Auto-login via Authelia for user: {authelia_user}") - session.clear() - session.permanent = True - session['logged_in'] = True - session['authelia_user'] = authelia_user - session['user_token'] = secrets.token_urlsafe(32) - session['auth_method'] = 'authelia' - session.modified = True - - return f(*args, **kwargs) - - # Regular session check + # Regular session check (when ENABLE_PROXY=false or no Authelia headers) if not session.get('logged_in'): logger.warning("Access denied: User not authenticated") if request.is_json: @@ -173,6 +182,18 @@ def login_required(f): def login(): """Login page or JSON login endpoint""" + # Validate session mode matches current proxy setting + if session.get('logged_in'): + session_mode = session.get('auth_method', 'unknown') + + # Clear session if mode mismatch + if ENABLE_PROXY and session_mode == 'local': + logger.info("⚠️ Session mode mismatch: Clearing local session (proxy mode enabled)") + session.clear() + elif not ENABLE_PROXY and session_mode == 'authelia': + logger.info("⚠️ Session mode mismatch: Clearing authelia session (proxy mode disabled)") + session.clear() + # Auto-login when ENABLE_PROXY=true and Authelia headers are present if ENABLE_PROXY: authelia_user = get_authelia_user() @@ -198,6 +219,11 @@ def login(): # Already logged in via Authelia - redirect to main page return redirect(url_for('index')) + else: + # ENABLE_PROXY=true but no Authelia headers found + logger.warning("⚠️ ENABLE_PROXY=true but no Authelia headers detected!") + logger.warning(" Make sure your reverse proxy forwards authentication headers") + logger.warning(f" Available headers: {list(request.headers.keys())}") # Handle form submission for local authentication (only when ENABLE_PROXY=false) if request.method == 'POST':