Open czwama opened 1 year ago
You must exclude the API endpoint from you proxy.
Thanks for your suggestion, the URL I use does not include /api, however there is a redirect required to authelia to authenticate and this seems to be the issue. I see there is an issue 229, for which you are planning to release changes, perhaps this will also fix my issue.
In fact I exclude /api endpoint of paperless in traefik, so when app call /api, itโs working as expected. Even if you use authelia, api is still protected with login ;)
Hey,
I'm facing the same "issue" I guess. I protect paperless with authelia, so I cannot use paperless mobile without deactivating authelia.
And I want to thank @JigSawFr ๐ , here's my new (working) nginx rp conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name paperless.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
#GeoBlock
if ($geo-blacklist = no) { return 404; }
#Authelia
include /config/nginx/authelia-server.conf;
location / {
#Authelia
include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.0.11;
set $upstream_port 8000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location /api {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.0.11;
set $upstream_port 8000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
Thanks all for your inputs. I excluded the api now and now I can use the mobile app. However, this means that now the normal user login is protected by 2FA, but one can still get to the data using the api backdoor that is not protected by 2fa. So this is not really a solution for me.
For now I will take it out of Authelia and use the mobile app only locally, or over VPN.
The app is great by the way ! Love it very much.
Since Authelia seems to be used to be frequently used in combination with paperless/self hosted applications, I'd like to support it out of the box. Could someone setup a demo instance I can connect to to debug the issue? Feel free to mail me the server address and credentials (of a test user for instance) to paperless-mobile@protonmail.com
Thanks :)
That would be so great ๐ I cannot set up that at the moment. I hope someone will give you a demo instance quickly. If not, I'll try to do it.
Hi Anton,
I setup a test environment and sent you the details in the mail
Regards,
Cees
Hi @czwama, thanks for providing a sandbox! I did some testing but couldn't find a way to "connect" the redirects from Authelia to the app.
As far as I understood it, the workflow looks as follows:
I'm not entirely sure about the last steps: What configuration is necessary for paperless? Does paperless behind Authelia always use HTTP_REMOTE_USER? Maybe someone with more insight into Authelia could help me figure out how this could be achieved, because I currently don't see a way to add this natively unfortunately. There seems to be no way for me to get the cookie from within the app, therefore you may have to disable authelia for the /api endpoints as suggested by @JigSawFr.
If anyone might know how this could be achieved, I'd be more than happy to implement this.
Cheers
Hi Anton, thanks for looking into this, I think what is needed is for the app to follow the redirect and get the api token, but I am not an expert in this area. I was not comfortable leaving the api bypassed as it would allow people to access the data without 2fa authentication.ย Perhaps someone with more expertise in this area could help here.
It would also be great to support other authentication providers like Cloudflare zero trust. Cloudflare kind of works similarly to Authelia.
Cloudflare checks the cookies that are sent with the request. If no authentication cookie exists, a redirect to the login page will be made. After a successful login, the client receives the authentication cookie. The client can now use the authentication cookie in every request to the paperless API. Cloudflare will verify the authentication cookie and transparently forward the requests with a valid cookie.
@astubenbord, if it helps you, I can provide you with a paperless demo installation that is secured with Cloudflare zero trust.
Here's my config to bypass Authelia for the Paperless API in Caddy:
@paperless host paperless.example.com
handle @paperless {
handle /api/* {
reverse_proxy {{Paperless IP}}:{{Paperless port}}
}
handle * {
forward_auth {{Authelia IP}}:{{Authelia port}} {
uri /api/verify?rd=https://auth.example.com/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
import trusted_proxy_list
}
reverse_proxy {{Paperless IP}}:{{Paperless port}} {
import trusted_proxy_list
}
encode zstd gzip
request_body {
max_size 10MB
}
}
}
@astubenbord The guy who wrote Authelia is actually very helpful. He help me set it up for the first time a few years back over Discord. Could also create a discussion/issue on their github requesting some API token implementation to bypass 2fa and get a long life, revokable JWT or something. Authelia by default logs you out after a week (but this can be changed). Ideally the long lived JWT would just be for Paperless. Another alternative would be Oauth2, which they are actively working on (The Paperless app would essentially open a browser, have you login to Authelia with your usual stuff, then get the oauth2 tokens that the Paperless app would use).
I also just tried to setup Paperless Mobile with Authelia, but it failed due to having 2FA enabled, searched around and found this thread.
Actually in the intermit, would it be possible to put a custom cookie or header in the app for all API calls somewhere? Nginx could be configured to allow the requests through if the cookie or header is set, essentially acting as a pre-shared secret.
May I ask if there is an update on login with 2FA from authelia? - Thank you!!
I would also be interested if there is any update with this..?
I am using paperless in combination with authelia. When logging into the app I am getting error 302, as it does not seem to support the redirect. Are there plans to include this ?