-
-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Auto-Login via Header #253
base: main
Are you sure you want to change the base?
Conversation
WalkthroughThe changes introduce a new header-based authentication mechanism within the application, adding support for external user identifiers. The updates include modifications to various components, such as controllers, middleware, routes, and database schemas, to accommodate the new functionality. Additionally, documentation and configuration files have been updated to reflect the new options available for proxy settings and authentication. Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Also, I added a trusted IP mechanism to enhance security with this feature and changed the Real IP middleware to only be active when some trusted IPs are set. |
As a note with creating users, that don't exist, I haven't reviewed the code yet, but given the whole groups thing, how would that end up working header wise? Just a new header that auth services can set? And what happens if they don't? Just create a new group for the user? |
Maybe this plus an environment variable to set the default group for all header-created users ? I'm not using homebox (yet) so I'm not sure if a new group should be created for each user or if the more common use case is all users in a single group. If it's the second case the default group variable would be better. So :
|
The way it currently works, is if a user registers without a invite code it generates a new tenant entirely. However invite codes probably wouldn't work with header login. I know that at least with some auth software you can set custom user attributes, which would allow for setting the tenant via a header, but not all of them? I think we might need further community input on this overall to get more of a consensus on how to handle this. |
I don't think the header login mechanism should be very complicated, there is another pull request about OIDC support and I feel like this would handle the more complex authentication cases. |
What type of PR is this?
What this PR does / why we need it:
The goal of this PR is to allow homebox to directly log in any request with a specified header mapping to a user, or create the user if it does not exist.
This is useful in reverse-proxy scenarios, where the reverse proxy already authenticates the user (for example, Home Assistant Ingress)
Which issue(s) this PR fixes:
It would improve sysadminsmedia/homebox-ha-addon#1 but there's no issue for specifically this
Special notes for your reviewer:
This is still a draft, with only basic backend logic and no frontend logic. I'm looking for help with which part of the code I would change. I started doing what I think it the correct way but since I don't know the project I'm not too sure.
Testing
Draft, not yet working
Summary by CodeRabbit
Release Notes
New Features
headerAuthEnabled
property in API responses.Documentation
Bug Fixes
These changes enhance security and flexibility for user authentication and configuration management.