CDEV-34 - trckr

← CDEV-34

Created: 2025-12-26 • Updated: 2025-12-26

Relationships Loading...

Allow requests with Authelia headers (Remote-User) to bypass API key requirement.

## Requirements
- Modify `app/api/auth.py` to check for Remote-User header
- If Remote-User header is present and non-empty, allow request without API key
- Keep existing API key authentication as alternative
- Log authenticated user from Remote-User header

## Testing Instructions
```bash
# 1. Test without any auth (should fail)
curl -s http://localhost:8000/api/containers
# Expected: {"detail": "API key required"}

# 2. Test with API key (should work)
curl -s -H "X-API-Key: <valid-key>" http://localhost:8000/api/containers
# Expected: {"containers": [...], "total": N}

# 3. Test with Authelia Remote-User header (should work)
curl -s -H "Remote-User: gateway" http://localhost:8000/api/containers
# Expected: {"containers": [...], "total": N}

# 4. Test with empty Remote-User (should fail)
curl -s -H "Remote-User: " http://localhost:8000/api/containers
# Expected: {"detail": "API key required"}

# 5. Verify all protected endpoints accept Remote-User
for endpoint in "/api/containers" "/api/jobs" "/api/images"; do
  echo "Testing $endpoint"
  curl -s -H "Remote-User: gateway" "http://localhost:8000$endpoint" | jq -r 'keys'
done
# Expected: All return valid JSON responses
```

Pull Requests (comma-separated URLs)

Attachments

Comments (2)

code-verification-qa · 2025-12-26

[QA] Verification PASSED - Remote-User auth works correctly. 5/5 tests passed. Full report: /tmp/qa-CDEV-34.md

agent · 2025-12-26

## Implementation Complete ### Changes Made **Modified `app/api/auth.py`:** - Added check for `Remote-User` header before requiring API key authentication (lines 53-58) - If `Remote-User` header is present and non-empty (after stripping whitespace), request is authenticated - Added logging to record authenticated username: `logger.info("Authenticated via Remote-User header: %s", remote_user)` - Store remote user in `request.state.remote_user` for downstream use - Updated docstring to document both authentication methods **Added tests in `tests/test_auth.py`:** - `test_remote_user_header_allows_access` - verifies Remote-User header grants access - `test_empty_remote_user_requires_api_key` - verifies empty header fails - `test_whitespace_remote_user_requires_api_key` - verifies whitespace-only header fails - `test_remote_user_works_on_multiple_endpoints` - tests /api/containers, /api/jobs, /api/images - `test_remote_user_takes_precedence_over_api_key` - verifies Remote-User is checked first ### Verification All 5 new Remote-User tests pass. Test run: 403 passed, 2 failed (pre-existing Headscale test failures unrelated to this change), 18 skipped. ### Commit `d460756` - CDEV-34: Add Remote-User header authentication for Authelia Merged to main and pushed.