feat(networking): implement forward auth#1564
Conversation
|
@fallenbagel @gauthier-th This PR is now ready for review! |
fallenbagel
left a comment
There was a problem hiding this comment.
I didn't fully review this yet but I noticed one issue. The Dockerfile. Also in terms of UI, I would recommend putting the forwardAuth stuff to be indented like how http(s) proxy is done:

Also I would argue that this should be under the advanced networking section as this is not for the normal user. Wdyt about that @gauthier-th
100% agree |
|
@fallenbagel @gauthier-th Applied all the suggestions.
|
a7729d8 to
3c4134f
Compare
|
This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged. |
|
excited for this, would love to setup authentik as the auth for jellyseerr, think this is the way to get that done. |
|
This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged. |
|
Rebased this PR on top of latest develop and fixed a small bug. Ready for review! |
|
This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged. |
|
This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
3 issues:
In OpenAPIValidator: cookieAuth is the security scheme on every endpoint and the validator runs before the auth middleware, so requests without a session cookie get rejected before forward-auth even has a chance. Fixed like this OpenApiValidator.middleware({
apiSpec: API_SPEC_PATH,
validateRequests: true,
+ validateSecurity: false,
})isAuthenticated() already does the actual auth check, so the validator's cookie requirement is redundant and it breaks any non-cookie auth path (this PR, OIDC in #2715, future API-key flows). @Jycreyn flagged the Can we get also automatic user creation? The lookup uses exact SQL equality on jellyfinUsername. That bites in practice because:
Could the WHERE be case-insensitive? With TypeORM: Edit: I did fixes here, incl auto creation of users: https://github.com/Sapd/seerr/commits/forward-auth-fixes/ |
|
@M0NsTeRRR I have carried forward the work of @ishanjain28 and @Sapd HERE fixing some issues regarding the cloudflare forward auth workflow as well as a bug if the proxy is running a dual stack listener. If the original author does not return I am willing to put in the work to get this over this finish line whether its fixing any actual issues or just resolving the merge conflicts. I have end-to-end tested my current branch and it seems fully functional. |
|
I can take a look at this again on upcoming weekend. |
|
@Xatrekak feel free to open some pull requests on @ishanjain28 fork. That way, he can review your fix and merge it when he has time this weekend. |
…net lib for ip-addr
1. Add comment explaining the trustedProxies setter in server. 2. Reformat header autocompletes and use toLowerCase when checking requests. 3. Remove Advanced Network Settings and restructure settings page.
Add auto provisioning gui
|
This has been rebased with changes from @Xatrekak. I also verified it in my instance, it works correctly. Ready for review! |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment has been minimized.
This comment has been minimized.
|
I've been running this branch (the current head, plus fixes) in production behind two proxy paths simultaneously — Cloudflare Access with the email header on one hostname, and a second SSO reverse proxy (Pangolin) that's deliberately not in the trusted list on another. That turned out to be a good stress test, and I'd like to feed back what it found. Fixes — opened as a PR on the head fork (per the earlier suggestion to route fixes through @ishanjain28): ishanjain28#3. The one reviewers here may care most about: SSR page loads launder forward-auth headers through an unconditionally-trusted loopback ( Separately, one bug I hit turned out not to be forward-auth-specific at all ( One design gap in auto-provisioning worth a maintainer opinion before anyone codes it: the asserted email is both the identity join key and a user-editable profile field. With auto-provision enabled, a user renaming their Seerr email gets a duplicate account on the very next headered request — the IDP still asserts the old address, nothing matches, provisioning fills the gap. (There's no session to cushion it: per-request matching is deliberate here, and correctly so — the earlier session experiment was reverted for real reasons.) Options, roughly in ascending effort:
Related, since it came up earlier in this thread: the reverted session-perf idea has a middle path that addresses the Authelia user-switch objection — write the session and record which header identity minted it, then invalidate the session whenever the current header disagrees. Happy to prototype that too if there's interest. Disclosure: diagnosis and patches were done with AI assistance (Claude); I've reviewed everything and it's all running on my instance. |


Description
This PR adds the Forward Auth feature. It fixes the feedback received in previous attempt here
a. Verify the user field against
jellyfinUsername | plexUsernamecolumns.b. Verify the email field against
emailcolumn.c. Verify both the user and email fields.
How Has This Been Tested?
This has been tested using the included test suite and manually in different environments. Manual test examples,
Screenshots / Logs (if applicable)
Checklist:
pnpm buildpnpm i18n:extractSummary by CodeRabbit
New Features
Documentation
Chores
Tests
Quality