-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow creating users from reverse proxy headers #2899
base: Develop
Are you sure you want to change the base?
Conversation
Why hasn't this been merged @OzzieIsaacs? |
FWIW, i've been running my own fork of calibre-web with this feature since i opened the PR, with no problems. this PR is open for the benefit of the community. here's how i run it: Based on the comment in the README:
i'm assuming this PR will never be merged, so i recommend forking and patching if you want this or other features. BTW @MisterMustache -- your comment came off as pretty aggressive to me, not sure if that was the intent, but i prefer to be more gentle to overworked OSS maintainers. |
God no! I'm sorry if It came out that way -- that was was never my intention. I made the comment with genuine curiosity because I haven't seen the README with the note you posted in the comment. I fully support the main maintainer and wish him all the best.
Thank you for contributing, I really appreciate it! 😄 |
oops! relevant section from calibre-web:
build:
context: ./custom/calibre
# image was patched to better support proxy auth
#image: lscr.io/linuxserver/calibre-web:latest
restart: unless-stopped
container_name: calibre
environment:
- PUID=116
- PGID=5004
- TZ=America/Los_Angeles
- DOCKER_MODS=linuxserver/mods:universal-calibre
- OAUTHLIB_RELAX_TOKEN_SCOPE=1
volumes:
- ${STORAGE}/calibre/config:/config
- /media/books:/books
labels:
traefik.enable: true
traefik.http.routers.calibre.rule: Host(`<redacted>`)
traefik.http.routers.calibre.tls: true
traefik.http.routers.calibre.tls.certresolver: le
traefik.http.routers.calibre.entrypoints: https
traefik.http.services.calibre.loadbalancer.server.port: 8083
traefik.http.routers.calibre.middlewares: authentik@file the Dockerfile:
|
Hello @igor47, just had an issue with your PR. I am using Keycloak and Traefik (getting reverse proxy auth thanks to this bridge), I set up
Do you have an idea of what might not be working ? Thanks a lot. EDIT : I managed to solve it in a way, by writing anything in the email field, |
allowing login via reverse proxy auth is convenient, but it's not convenient to have to create the users in advance. this PR allows users to be optionally created if they don't already exist. we provide this as an option in the UI
b3adf67
to
a326949
Compare
yup i wasn't handling this. i updated the PR. |
Currently, when authentication happens in the reverse proxy, the user must already be in
calibre-web
's DB or else nothing happens. Source:With this PR, we add an option to also create the user. User creation is modeled on how we do it in LDAP sync. If the user creation fails for whatever reason, still nothing happens, and the failure happens transparently to the user, exactly how it happens today if the user doesn't already exist in the DB.
This is a very-low code PR, but it makes authenticating with reverse proxies much easier. The alternatives to this PR are:
i think for people using centralized auth (authentik/authelia) with a reverse proxy (traefik/caddy/nginx) this provides the biggest bang-for-buck without much code to maintain.
We don't do any group setting here, so users will likely be created non-admin. My recommended flow to set up auth: