Skip to content

Support for Proxy Auth via. HTTP header #1847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eyJhb opened this issue Dec 17, 2024 · 8 comments · May be fixed by #1859, wger-project/docs#42, wger-project/docker#121 or wger-project/flutter#708
Open

Support for Proxy Auth via. HTTP header #1847

eyJhb opened this issue Dec 17, 2024 · 8 comments · May be fixed by #1859, wger-project/docs#42, wger-project/docker#121 or wger-project/flutter#708

Comments

@eyJhb
Copy link
Contributor

eyJhb commented Dec 17, 2024
edited
Loading

Use case

This would allow to put e.g. Authelia in front of Wger, and then use the header that Authelia passes to wger to create/signin the user.
This could function as a simple way, to support the uses cases such as #1797 (not 100%, but it is quite simple to make).

See miniflux/v2#534 and https://grafana.com/docs/grafana/latest/auth/auth-proxy/ .

Proposal

  • Add config option PROXY_AUTH_HEADER=Remote-User
  • Add config option PROXY_AUTH_CREATE_USER=True
  • ALLOW_REGISTRATION=False should still allow creating users using PROXY_AUTH_
  • Mobile app should allow using API key instead of username/password for signin
    • This means user would first authenticate themselves using the website (go through e.g. Authelia -> Wger), copy API key, and then use that from the app.

I might take a jab at this if I have the time.
@eyJhb eyJhb changed the title Support for Auth Proxy Support for Proxy Auth via. HTTP header Dec 17, 2024
@rolandgeider
Copy link
Member

interesting, this would mean taking the auth header and just going along with it. My feeling is that this should be rather easy to do (or there is already some package for this)

@eyJhb
Copy link
Contributor Author

eyJhb commented Dec 18, 2024

I remember a issue with this. So it would require the app to be changed as well, to allow using API key for logging in, instead of using username/password, as that would no longer work (they have no password).

My current nginx setup allows anyone to access /static, /media and /api, and that should still work with such a setup as this.

This was referenced Jan 2, 2025
Open
Draft
@github-project-automation github-project-automation bot moved this to Backlog in Release 2.4 Mar 21, 2025
@rolandgeider rolandgeider linked a pull request Mar 21, 2025 that will close this issue
WIP: Adds ability to use API Key to "sign in" wger-project/flutter#708
Draft
5 tasks
@rolandgeider rolandgeider moved this from Backlog to In progress in Release 2.4 Apr 12, 2025
This was linked to pull requests Apr 12, 2025
Auth proxy docs wger-project/docs#42
Open
Allow setting the auth proxy header wger-project/docker#121
Open
@rolandgeider
Copy link
Member

(have started adding the setting and the docs to the other repos)

@rolandgeider
Copy link
Member

grafana has an optional IP whitelist, might also be a good idea

@rolandgeider rolandgeider mentioned this issue Apr 16, 2025
Closed
@eyJhb
Copy link
Contributor Author

eyJhb commented Apr 16, 2025

grafana has an optional IP whitelist, might also be a good idea

Might be a good idea to support in the future, but isn't necessary for this, is it? :)

@rolandgeider
Copy link
Member

I just added it now, wasn't much work, seems more secure that way 😄

If you can, can you checkout the branch and check that it works it with a real auth service? I've just done some very rudimentary tests

@eyJhb
Copy link
Contributor Author

eyJhb commented Apr 17, 2025

Is the intention that you're forced to set AUTH_PROXY_TRUSTED_IPS? Because it's somewhat dubious what it actually protects from. I think many will be running it through nginx, where REMOTE_ADDR should always be 127.0.0.1, but that would STILL allow a malicious user to set the header, ie. no protection.

What it protects against, is if wger is bound to 0.0.0.0, and someone connects directly to it, around the reverse proxy.

E.g. I specifically set this in places, where I want to ensure the client cannot manipulate the headers. This is e.g. for the API endpoint, which shouldn't use that form of authentication, on mobile devices.

proxy_set_header Remote-User "";
proxy_set_header Remote-Groups "";
proxy_set_header Remote-Email "";
proxy_set_header Remote-Name "";

I'll try to test it out when I find the time :)

@rolandgeider
Copy link
Member

What it protects against, is if wger is bound to 0.0.0.0, and someone connects directly to it, around the reverse proxy.

exactly. In the docker setup the application and the proxy are different services and you only want to accept the headers from the one you want (ok, here you couldn't access the application directly from the outside, but with other setups, you might). I feel that explicitly whitelisting the auth proxy makes it clearer and avoids potentially leaving this open because you didn't think about something.

I'll try to test it out when I find the time :)

💪🏻

@rolandgeider rolandgeider moved this from In progress to In review in Release 2.4 Apr 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Release 2.4
Status: In review
Milestone
No milestone
2 participants
@rolandgeider @eyJhb