auth/reverseproxy: Add support for full name (#20776)
This adds support for getting the user's full name from the reverse proxy in addition to username and email. Tested locally with caddy serving as reverse proxy with Tailscale authentication. Signed-off-by: Will Norris <will@tailscale.com> Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
parent
1f146090ec
commit
82f89ff996
6 changed files with 20 additions and 3 deletions
|
@ -377,9 +377,10 @@ INTERNAL_TOKEN=
|
||||||
;; Name of cookie used to store authentication information.
|
;; Name of cookie used to store authentication information.
|
||||||
;COOKIE_REMEMBER_NAME = gitea_incredible
|
;COOKIE_REMEMBER_NAME = gitea_incredible
|
||||||
;;
|
;;
|
||||||
;; Reverse proxy authentication header name of user name and email
|
;; Reverse proxy authentication header name of user name, email, and full name
|
||||||
;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
|
;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
|
||||||
;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
|
;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
|
||||||
|
;REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-WEBAUTH-FULLNAME
|
||||||
;;
|
;;
|
||||||
;; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
|
;; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
|
||||||
;REVERSE_PROXY_LIMIT = 1
|
;REVERSE_PROXY_LIMIT = 1
|
||||||
|
@ -694,6 +695,7 @@ ROUTER = console
|
||||||
;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
|
;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
|
||||||
;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
|
;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
|
||||||
;ENABLE_REVERSE_PROXY_EMAIL = false
|
;ENABLE_REVERSE_PROXY_EMAIL = false
|
||||||
|
;ENABLE_REVERSE_PROXY_FULL_NAME = false
|
||||||
;;
|
;;
|
||||||
;; Enable captcha validation for registration
|
;; Enable captcha validation for registration
|
||||||
;ENABLE_CAPTCHA = false
|
;ENABLE_CAPTCHA = false
|
||||||
|
|
|
@ -492,6 +492,8 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
|
||||||
authentication.
|
authentication.
|
||||||
- `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
|
- `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
|
||||||
authentication provided email.
|
authentication provided email.
|
||||||
|
- `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`: **X-WEBAUTH-FULLNAME**: Header name for reverse proxy
|
||||||
|
authentication provided full name.
|
||||||
- `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
|
- `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
|
||||||
Number of trusted proxy count. Set to zero to not use these headers.
|
Number of trusted proxy count. Set to zero to not use these headers.
|
||||||
- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
|
- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
|
||||||
|
@ -577,6 +579,8 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
|
||||||
for reverse authentication.
|
for reverse authentication.
|
||||||
- `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a
|
- `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a
|
||||||
provided email rather than a generated email.
|
provided email rather than a generated email.
|
||||||
|
- `ENABLE_REVERSE_PROXY_FULL_NAME`: **false**: Enable this to allow to auto-registration with a
|
||||||
|
provided full name for the user.
|
||||||
- `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
|
- `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
|
||||||
- `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
|
- `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
|
||||||
even for External Accounts (i.e. GitHub, OpenID Connect, etc). You also must enable `ENABLE_CAPTCHA`.
|
even for External Accounts (i.e. GitHub, OpenID Connect, etc). You also must enable `ENABLE_CAPTCHA`.
|
||||||
|
|
|
@ -38,6 +38,7 @@ var Service = struct {
|
||||||
EnableReverseProxyAuth bool
|
EnableReverseProxyAuth bool
|
||||||
EnableReverseProxyAutoRegister bool
|
EnableReverseProxyAutoRegister bool
|
||||||
EnableReverseProxyEmail bool
|
EnableReverseProxyEmail bool
|
||||||
|
EnableReverseProxyFullName bool
|
||||||
EnableCaptcha bool
|
EnableCaptcha bool
|
||||||
RequireExternalRegistrationCaptcha bool
|
RequireExternalRegistrationCaptcha bool
|
||||||
RequireExternalRegistrationPassword bool
|
RequireExternalRegistrationPassword bool
|
||||||
|
@ -127,6 +128,7 @@ func newService() {
|
||||||
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
|
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
|
||||||
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
|
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
|
||||||
Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool()
|
Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool()
|
||||||
|
Service.EnableReverseProxyFullName = sec.Key("ENABLE_REVERSE_PROXY_FULL_NAME").MustBool()
|
||||||
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool(false)
|
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool(false)
|
||||||
Service.RequireExternalRegistrationCaptcha = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA").MustBool(Service.EnableCaptcha)
|
Service.RequireExternalRegistrationCaptcha = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA").MustBool(Service.EnableCaptcha)
|
||||||
Service.RequireExternalRegistrationPassword = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_PASSWORD").MustBool()
|
Service.RequireExternalRegistrationPassword = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_PASSWORD").MustBool()
|
||||||
|
|
|
@ -186,6 +186,7 @@ var (
|
||||||
CookieRememberName string
|
CookieRememberName string
|
||||||
ReverseProxyAuthUser string
|
ReverseProxyAuthUser string
|
||||||
ReverseProxyAuthEmail string
|
ReverseProxyAuthEmail string
|
||||||
|
ReverseProxyAuthFullName string
|
||||||
ReverseProxyLimit int
|
ReverseProxyLimit int
|
||||||
ReverseProxyTrustedProxies []string
|
ReverseProxyTrustedProxies []string
|
||||||
MinPasswordLength int
|
MinPasswordLength int
|
||||||
|
@ -909,6 +910,7 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
|
||||||
|
|
||||||
ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
|
ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
|
||||||
ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
|
ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
|
||||||
|
ReverseProxyAuthFullName = sec.Key("REVERSE_PROXY_AUTHENTICATION_FULL_NAME").MustString("X-WEBAUTH-FULLNAME")
|
||||||
|
|
||||||
ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
|
ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
|
||||||
ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
|
ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
|
||||||
|
|
|
@ -257,6 +257,7 @@ func Config(ctx *context.Context) {
|
||||||
ctx.Data["ScriptType"] = setting.ScriptType
|
ctx.Data["ScriptType"] = setting.ScriptType
|
||||||
ctx.Data["ReverseProxyAuthUser"] = setting.ReverseProxyAuthUser
|
ctx.Data["ReverseProxyAuthUser"] = setting.ReverseProxyAuthUser
|
||||||
ctx.Data["ReverseProxyAuthEmail"] = setting.ReverseProxyAuthEmail
|
ctx.Data["ReverseProxyAuthEmail"] = setting.ReverseProxyAuthEmail
|
||||||
|
ctx.Data["ReverseProxyAuthFullName"] = setting.ReverseProxyAuthFullName
|
||||||
|
|
||||||
ctx.Data["SSH"] = setting.SSH
|
ctx.Data["SSH"] = setting.SSH
|
||||||
ctx.Data["LFS"] = setting.LFS
|
ctx.Data["LFS"] = setting.LFS
|
||||||
|
|
|
@ -105,9 +105,15 @@ func (r *ReverseProxy) newUser(req *http.Request) *user_model.User {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var fullname string
|
||||||
|
if setting.Service.EnableReverseProxyFullName {
|
||||||
|
fullname = req.Header.Get(setting.ReverseProxyAuthFullName)
|
||||||
|
}
|
||||||
|
|
||||||
user := &user_model.User{
|
user := &user_model.User{
|
||||||
Name: username,
|
Name: username,
|
||||||
Email: email,
|
Email: email,
|
||||||
|
FullName: fullname,
|
||||||
}
|
}
|
||||||
|
|
||||||
overwriteDefault := user_model.CreateUserOverwriteOptions{
|
overwriteDefault := user_model.CreateUserOverwriteOptions{
|
||||||
|
|
Loading…
Reference in a new issue