feat(auth): AUTH_MODE enforcement + TRUST_REMOTE_USER_HEADER + path-prefix coverage#3
Closed
terafin wants to merge 1 commit into
Closed
feat(auth): AUTH_MODE enforcement + TRUST_REMOTE_USER_HEADER + path-prefix coverage#3terafin wants to merge 1 commit into
terafin wants to merge 1 commit into
Conversation
…refix coverage [squashed; see PR body for full description] 🤖 Generated with [Claude Code](https://claude.com/claude-code)
a9ffce2 to
225c319
Compare
joeblack2k
requested changes
Jun 15, 2026
joeblack2k
left a comment
Owner
There was a problem hiding this comment.
Blocking this for now: requireAuth currently bypasses every non-public endpoint whenever a request includes X-RSM-Device-Type and X-RSM-Fingerprint. That defers to helper auth only on helper-protocol routes, but on ordinary API/static routes there is no downstream helper authorization, so AUTH_MODE=enabled can be bypassed by spoofing those two headers. Please scope the helper-identity bypass to the actual helper sync/bootstrap routes, or otherwise ensure non-helper routes still require a real session/app-password/proxy identity. Add a regression test for a protected non-helper endpoint with those two headers returning 401.
Owner
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Auth-hardening series that gates every non-public endpoint behind a real auth check, plus integrates cleanly with header-based identity providers (Authelia / oauth2-proxy / Cloudflare Access).
Squashed into one commit; additive only (no behavior change for default-config users —
AUTH_MODEis opt-in).The change set:
AUTH_MODE=enabledon all non-public endpoints — adds an explicit allowlist of public endpoints, then requires authenticated identity on everything else whenAUTH_MODE=enabled. Previously some endpoints fell through unauthenticated.TRUST_REMOTE_USER_HEADERtoggle + path-prefix coverage + spoof-resistance — opt-in support for trusting an upstream proxy's identity header, with path-prefix scoping, spoof-resistance against direct connections, and tests covering SSE streams + static asset paths.Test plan
backend/cmd/server/auth_middleware_test.go— ~500 lines) covers theAUTH_MODEgate, theTRUST_REMOTE_USER_HEADERflow, spoof-resistance, SSE handlers, and static-asset paths.AUTH_MODE=enabled(the defaultAUTH_MODEvalue is unchanged).intarweb-devbuild for ~3 days with no regressions observed.Backwards compatibility
Zero behavior change at default config —
AUTH_MODE=enabledandTRUST_REMOTE_USER_HEADERare both opt-in. Operators not setting them get the exact pre-PR semantics.Why this matters
For operators putting RSM behind an identity-aware proxy (Authelia, oauth2-proxy, Cloudflare Access), the missing pieces today are: (a) some endpoints not enforcing
AUTH_MODE, and (b) no clean way to consume an upstreamRemote-Userheader without rewriting middleware. This series closes both gaps with no risk to existing deployments.🤖 Generated with Claude Code