Add configuration foward-auth headers

2025-10-26 14:41:20 +11:00
parent 2679634a2b
commit 88428bfd97
13 changed files with 543 additions and 178 deletions
--- a/app/controllers/admin/forward_auth_rules_controller.rb
+++ b/app/controllers/admin/forward_auth_rules_controller.rb
@@ -17,6 +17,8 @@ module Admin

    def create
      @forward_auth_rule = ForwardAuthRule.new(forward_auth_rule_params)
+      # Handle headers configuration
+      @forward_auth_rule.headers_config = process_headers_config(params[:headers_config])

      if @forward_auth_rule.save
        # Handle group assignments
@@ -38,6 +40,10 @@ module Admin

    def update
      if @forward_auth_rule.update(forward_auth_rule_params)
+        # Handle headers configuration
+        @forward_auth_rule.headers_config = process_headers_config(params[:headers_config])
+        @forward_auth_rule.save!
+
        # Handle group assignments
        if params[:forward_auth_rule][:group_ids].present?
          group_ids = params[:forward_auth_rule][:group_ids].reject(&:blank?)
@@ -67,5 +73,12 @@ module Admin
    def forward_auth_rule_params
      params.require(:forward_auth_rule).permit(:domain_pattern, :active)
    end
+
+    def process_headers_config(headers_params)
+      return {} unless headers_params.is_a?(Hash)
+
+      # Clean up headers config - remove empty values, keep only filled ones
+      headers_params.select { |key, value| value.present? }.symbolize_keys
+    end
  end
 end
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -64,19 +64,27 @@ module Api
      end

      # User is authenticated and authorized
-      # Return 200 with user information headers
-      response.headers["Remote-User"] = user.email_address
-      response.headers["Remote-Email"] = user.email_address
-      response.headers["Remote-Name"] = user.email_address
+      # Return 200 with user information headers using rule-specific configuration
+      headers = rule ? rule.headers_for_user(user) : ForwardAuthRule::DEFAULT_HEADERS.map { |key, header_name|
+        case key
+        when :user, :email, :name
+          [header_name, user.email_address]
+        when :groups
+          user.groups.any? ? [header_name, user.groups.pluck(:name).join(",")] : nil
+        when :admin
+          [header_name, user.admin? ? "true" : "false"]
+        end
+      }.compact.to_h

-      # Add groups if user has any
-      if user.groups.any?
-        response.headers["Remote-Groups"] = user.groups.pluck(:name).join(",")
+      headers.each { |key, value| response.headers[key] = value }
+
+      # Log what headers we're sending (helpful for debugging)
+      if headers.any?
+        Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(', ')}"
+      else
+        Rails.logger.debug "ForwardAuth: No headers sent (access only)"
      end

-      # Add admin flag
-      response.headers["Remote-Admin"] = user.admin? ? "true" : "false"
-
      # Return 200 OK with no body
      head :ok
    end