Auto login with Authelia

2026-01-23 13:51:41 +01:00
parent 3d11470f81
commit cd401e108f
1 changed files with 49 additions and 23 deletions
--- a/app.py
+++ b/app.py
@@ -116,7 +116,7 @@ def get_authelia_user():
    for header in auth_headers:
        user = request.headers.get(header)
        if user:
-            logger.info(f"Authelia user detected via {header}: {user}")
+            logger.info(f"✅ Authelia user detected via header '{header}': {user}")
            return user
    
    # Check Zoraxy forwarded headers (sometimes encoded differently)
@@ -127,39 +127,48 @@ def get_authelia_user():
            for header in auth_headers:
                if header in fwd_headers:
                    user = fwd_headers[header]
-                    logger.info(f"Authelia user detected via forwarded headers - {header}: {user}")
+                    logger.info(f"✅ Authelia user detected via forwarded headers - {header}: {user}")
                    return user
        except:
            pass
    
+    # Log when no Authelia user found (for debugging)
+    if ENABLE_PROXY:
+        logger.debug("⚠️  No Authelia headers found in request")
+        logger.debug(f"Available headers: {list(request.headers.keys())}")
+    
    return None

 def login_required(f):
    """Decorator to require login for routes"""
    @wraps(f)
    def decorated_function(*args, **kwargs):
-        # Check for Authelia authentication
-        authelia_user = get_authelia_user()
+        # Auto-login with Authelia (only when ENABLE_PROXY=true)
+        if ENABLE_PROXY:
+            authelia_user = get_authelia_user()
            
-        # If Authelia authenticated the user, update local session
-        if authelia_user:
-            # Log all headers for debugging
-            if app.debug:
-                logger.info(f"Headers for authenticated request: {dict(request.headers)}")
+            # If Authelia authenticated the user, auto-login
+            if authelia_user:
+                if not session.get('logged_in') or session.get('authelia_user') != authelia_user:
+                    logger.info(f"🔐 Auto-login via Authelia in API route: {authelia_user}")
+                    session.clear()
+                    session.permanent = True
+                    session['logged_in'] = True
+                    session['authelia_user'] = authelia_user
+                    session['user_token'] = secrets.token_urlsafe(32)
+                    session['auth_method'] = 'authelia'
+                    session.modified = True
                    
-            if not session.get('logged_in') or session.get('authelia_user') != authelia_user:
-                logger.info(f"Auto-login via Authelia for user: {authelia_user}")
-                session.clear()
-                session.permanent = True
-                session['logged_in'] = True
-                session['authelia_user'] = authelia_user
-                session['user_token'] = secrets.token_urlsafe(32)
-                session['auth_method'] = 'authelia'
-                session.modified = True
+                    # Store additional info
+                    session['remote_email'] = request.headers.get('Remote-Email', '')
+                    session['remote_name'] = request.headers.get('Remote-Name', '')
+                    session['remote_groups'] = request.headers.get('Remote-Groups', '')
                    
-            return f(*args, **kwargs)
+                    logger.info(f"✅ Auto-login in API route: {authelia_user}")
                    
-        # Regular session check
+                return f(*args, **kwargs)
+        
+        # Regular session check (when ENABLE_PROXY=false or no Authelia headers)
        if not session.get('logged_in'):
            logger.warning("Access denied: User not authenticated")
            if request.is_json:
@@ -173,6 +182,18 @@ def login_required(f):
 def login():
    """Login page or JSON login endpoint"""
    
+    # Validate session mode matches current proxy setting
+    if session.get('logged_in'):
+        session_mode = session.get('auth_method', 'unknown')
+        
+        # Clear session if mode mismatch
+        if ENABLE_PROXY and session_mode == 'local':
+            logger.info("⚠️  Session mode mismatch: Clearing local session (proxy mode enabled)")
+            session.clear()
+        elif not ENABLE_PROXY and session_mode == 'authelia':
+            logger.info("⚠️  Session mode mismatch: Clearing authelia session (proxy mode disabled)")
+            session.clear()
+    
    # Auto-login when ENABLE_PROXY=true and Authelia headers are present
    if ENABLE_PROXY:
        authelia_user = get_authelia_user()
@@ -198,6 +219,11 @@ def login():
            
            # Already logged in via Authelia - redirect to main page
            return redirect(url_for('index'))
+        else:
+            # ENABLE_PROXY=true but no Authelia headers found
+            logger.warning("⚠️  ENABLE_PROXY=true but no Authelia headers detected!")
+            logger.warning("   Make sure your reverse proxy forwards authentication headers")
+            logger.warning(f"   Available headers: {list(request.headers.keys())}")
    
    # Handle form submission for local authentication (only when ENABLE_PROXY=false)
    if request.method == 'POST':