Add support for authentication proxy headers

[cyruz-git]

Hi,

loving this app so far, but it misses a way to authenticate through a proxy (the proxy authenticates the user and forwards a header to the webapp).

For your reference, Linkding implements this feature through the LD_ENABLE_AUTH_PROXY environment variable.

Thanks and keep up with the good work!

[MohamedBassem]

Hmmm, I'm not sure I'm a big fan of this (at least the linkding implementation). I don't like this idea of the server blindly trusting some header and logging the user in if it's set.

Instead, what we can do is to allow you to pass custom headers (in the extension and mobile apps) that you can use to authenticate to the proxy with, and if the authentication succeeds, the requests then gets forwarded to Hoarder. What do you think?

[MohamedBassem]

Or are you not talking about mobile apps/extension and referring to authenticating the web app itself? If yes, then why not just OIDC?

[cyruz-git]

Yes I'm talking about the webapp. The custom headers for extensions and mobile apps are a good idea. They make for a great security layer over the web app itself.

The webapp need flexibility though and OIDC is not always the answer, specially if there is a need to maintain consistency over all the app hosted through a proxy (in my case, for example, i like to enforce a basic auth with a 2FA).

Another alternative, would be to authenticate through a JWT, if you think that a plain header is too insecure.

Consider anyway, that a custom header would be insecure only if easy to guess. This is a pretty secure way to login if a trusted proxy is configured to be the only one forwarding that particular header.