Skip to content

feat(auth): AUTH_MODE enforcement + TRUST_REMOTE_USER_HEADER + path-prefix coverage#3

Closed
terafin wants to merge 1 commit into
joeblack2k:mainfrom
intarweb:feat/enforce-auth-mode
Closed

feat(auth): AUTH_MODE enforcement + TRUST_REMOTE_USER_HEADER + path-prefix coverage#3
terafin wants to merge 1 commit into
joeblack2k:mainfrom
intarweb:feat/enforce-auth-mode

Conversation

@terafin

@terafin terafin commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Auth-hardening series that gates every non-public endpoint behind a real auth check, plus integrates cleanly with header-based identity providers (Authelia / oauth2-proxy / Cloudflare Access).

Squashed into one commit; additive only (no behavior change for default-config users — AUTH_MODE is opt-in).

The change set:

  1. Enforce AUTH_MODE=enabled on all non-public endpoints — adds an explicit allowlist of public endpoints, then requires authenticated identity on everything else when AUTH_MODE=enabled. Previously some endpoints fell through unauthenticated.
  2. Pass through helper-identity requests so auto-enroll bootstrap works — small fix so the helper-auth bootstrap flow doesn't get blocked by the new gate.
  3. TRUST_REMOTE_USER_HEADER toggle + path-prefix coverage + spoof-resistance — opt-in support for trusting an upstream proxy's identity header, with path-prefix scoping, spoof-resistance against direct connections, and tests covering SSE streams + static asset paths.

Test plan

  • New auth-middleware test suite (backend/cmd/server/auth_middleware_test.go — ~500 lines) covers the AUTH_MODE gate, the TRUST_REMOTE_USER_HEADER flow, spoof-resistance, SSE handlers, and static-asset paths.
  • Existing test suite continues to pass — added behavior is fully gated by AUTH_MODE=enabled (the default AUTH_MODE value is unchanged).
  • Running live on the fork's intarweb-dev build for ~3 days with no regressions observed.

Backwards compatibility

Zero behavior change at default config — AUTH_MODE=enabled and TRUST_REMOTE_USER_HEADER are both opt-in. Operators not setting them get the exact pre-PR semantics.

Why this matters

For operators putting RSM behind an identity-aware proxy (Authelia, oauth2-proxy, Cloudflare Access), the missing pieces today are: (a) some endpoints not enforcing AUTH_MODE, and (b) no clean way to consume an upstream Remote-User header without rewriting middleware. This series closes both gaps with no risk to existing deployments.

🤖 Generated with Claude Code

…refix coverage

[squashed; see PR body for full description]

🤖 Generated with [Claude Code](https://claude.com/claude-code)
@terafin terafin force-pushed the feat/enforce-auth-mode branch from a9ffce2 to 225c319 Compare June 8, 2026 18:57
@terafin terafin marked this pull request as ready for review June 8, 2026 19:39

@joeblack2k joeblack2k left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking this for now: requireAuth currently bypasses every non-public endpoint whenever a request includes X-RSM-Device-Type and X-RSM-Fingerprint. That defers to helper auth only on helper-protocol routes, but on ordinary API/static routes there is no downstream helper authorization, so AUTH_MODE=enabled can be bypassed by spoofing those two headers. Please scope the helper-identity bypass to the actual helper sync/bootstrap routes, or otherwise ensure non-helper routes still require a real session/app-password/proxy identity. Add a regression test for a protected non-helper endpoint with those two headers returning 401.

@joeblack2k

Copy link
Copy Markdown
Owner

Superseded by #16. I could not push to the fork branch, so I rebased the same auth feature onto current main, added the requested bypass fix and regression coverage, validated CI, and merged it through #16.

@joeblack2k joeblack2k closed this Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants