Auto login with Authelia
This commit is contained in:
46
app.py
46
app.py
@@ -116,7 +116,7 @@ def get_authelia_user():
|
|||||||
for header in auth_headers:
|
for header in auth_headers:
|
||||||
user = request.headers.get(header)
|
user = request.headers.get(header)
|
||||||
if user:
|
if user:
|
||||||
logger.info(f"Authelia user detected via {header}: {user}")
|
logger.info(f"✅ Authelia user detected via header '{header}': {user}")
|
||||||
return user
|
return user
|
||||||
|
|
||||||
# Check Zoraxy forwarded headers (sometimes encoded differently)
|
# Check Zoraxy forwarded headers (sometimes encoded differently)
|
||||||
@@ -127,28 +127,30 @@ def get_authelia_user():
|
|||||||
for header in auth_headers:
|
for header in auth_headers:
|
||||||
if header in fwd_headers:
|
if header in fwd_headers:
|
||||||
user = fwd_headers[header]
|
user = fwd_headers[header]
|
||||||
logger.info(f"Authelia user detected via forwarded headers - {header}: {user}")
|
logger.info(f"✅ Authelia user detected via forwarded headers - {header}: {user}")
|
||||||
return user
|
return user
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
# Log when no Authelia user found (for debugging)
|
||||||
|
if ENABLE_PROXY:
|
||||||
|
logger.debug("⚠️ No Authelia headers found in request")
|
||||||
|
logger.debug(f"Available headers: {list(request.headers.keys())}")
|
||||||
|
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def login_required(f):
|
def login_required(f):
|
||||||
"""Decorator to require login for routes"""
|
"""Decorator to require login for routes"""
|
||||||
@wraps(f)
|
@wraps(f)
|
||||||
def decorated_function(*args, **kwargs):
|
def decorated_function(*args, **kwargs):
|
||||||
# Check for Authelia authentication
|
# Auto-login with Authelia (only when ENABLE_PROXY=true)
|
||||||
|
if ENABLE_PROXY:
|
||||||
authelia_user = get_authelia_user()
|
authelia_user = get_authelia_user()
|
||||||
|
|
||||||
# If Authelia authenticated the user, update local session
|
# If Authelia authenticated the user, auto-login
|
||||||
if authelia_user:
|
if authelia_user:
|
||||||
# Log all headers for debugging
|
|
||||||
if app.debug:
|
|
||||||
logger.info(f"Headers for authenticated request: {dict(request.headers)}")
|
|
||||||
|
|
||||||
if not session.get('logged_in') or session.get('authelia_user') != authelia_user:
|
if not session.get('logged_in') or session.get('authelia_user') != authelia_user:
|
||||||
logger.info(f"Auto-login via Authelia for user: {authelia_user}")
|
logger.info(f"🔐 Auto-login via Authelia in API route: {authelia_user}")
|
||||||
session.clear()
|
session.clear()
|
||||||
session.permanent = True
|
session.permanent = True
|
||||||
session['logged_in'] = True
|
session['logged_in'] = True
|
||||||
@@ -157,9 +159,16 @@ def login_required(f):
|
|||||||
session['auth_method'] = 'authelia'
|
session['auth_method'] = 'authelia'
|
||||||
session.modified = True
|
session.modified = True
|
||||||
|
|
||||||
|
# Store additional info
|
||||||
|
session['remote_email'] = request.headers.get('Remote-Email', '')
|
||||||
|
session['remote_name'] = request.headers.get('Remote-Name', '')
|
||||||
|
session['remote_groups'] = request.headers.get('Remote-Groups', '')
|
||||||
|
|
||||||
|
logger.info(f"✅ Auto-login in API route: {authelia_user}")
|
||||||
|
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
|
|
||||||
# Regular session check
|
# Regular session check (when ENABLE_PROXY=false or no Authelia headers)
|
||||||
if not session.get('logged_in'):
|
if not session.get('logged_in'):
|
||||||
logger.warning("Access denied: User not authenticated")
|
logger.warning("Access denied: User not authenticated")
|
||||||
if request.is_json:
|
if request.is_json:
|
||||||
@@ -173,6 +182,18 @@ def login_required(f):
|
|||||||
def login():
|
def login():
|
||||||
"""Login page or JSON login endpoint"""
|
"""Login page or JSON login endpoint"""
|
||||||
|
|
||||||
|
# Validate session mode matches current proxy setting
|
||||||
|
if session.get('logged_in'):
|
||||||
|
session_mode = session.get('auth_method', 'unknown')
|
||||||
|
|
||||||
|
# Clear session if mode mismatch
|
||||||
|
if ENABLE_PROXY and session_mode == 'local':
|
||||||
|
logger.info("⚠️ Session mode mismatch: Clearing local session (proxy mode enabled)")
|
||||||
|
session.clear()
|
||||||
|
elif not ENABLE_PROXY and session_mode == 'authelia':
|
||||||
|
logger.info("⚠️ Session mode mismatch: Clearing authelia session (proxy mode disabled)")
|
||||||
|
session.clear()
|
||||||
|
|
||||||
# Auto-login when ENABLE_PROXY=true and Authelia headers are present
|
# Auto-login when ENABLE_PROXY=true and Authelia headers are present
|
||||||
if ENABLE_PROXY:
|
if ENABLE_PROXY:
|
||||||
authelia_user = get_authelia_user()
|
authelia_user = get_authelia_user()
|
||||||
@@ -198,6 +219,11 @@ def login():
|
|||||||
|
|
||||||
# Already logged in via Authelia - redirect to main page
|
# Already logged in via Authelia - redirect to main page
|
||||||
return redirect(url_for('index'))
|
return redirect(url_for('index'))
|
||||||
|
else:
|
||||||
|
# ENABLE_PROXY=true but no Authelia headers found
|
||||||
|
logger.warning("⚠️ ENABLE_PROXY=true but no Authelia headers detected!")
|
||||||
|
logger.warning(" Make sure your reverse proxy forwards authentication headers")
|
||||||
|
logger.warning(f" Available headers: {list(request.headers.keys())}")
|
||||||
|
|
||||||
# Handle form submission for local authentication (only when ENABLE_PROXY=false)
|
# Handle form submission for local authentication (only when ENABLE_PROXY=false)
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
|
|||||||
Reference in New Issue
Block a user