WIP: Header Auth

[FrozenDragoon]

My attempt at passing user auth information from an SSO provider (specifically Authelia) through a reverse proxy (Nginx) to GiftManager. This will allow a form of semi-SSO without the need to implement more indepth or complicated things like OIDC, etc.

This does not really address #4, but it's a first step depending on a given user's setup.

I do not consider this final yet. It "works", but definitely needs more testing and cleanup. In particular around the TRUSTED_PROXY config, since we should not accept the username header from just anyone.

I also need to test more redirection scenarios. At this time I've really only tested it by hitting the index. But, any other page should redirect to /login, which should pick up the header and update the session info so it may be OK.

[icbestCA]

Hi, Thanks for getting the implementation started. I tested the script with Postman, as I don’t have a proxy. I noticed you mentioned additional authentication protocols might be needed. I’ve read that JWT tokens could be used for proxy challenges. Is this something you were considering? I’m not very familiar with proxies, so I’d appreciate your insights. Thanks!

[FrozenDragoon]

Sorry, I got busy and I haven't had the chance to return to this over the past few weeks.

I wouldn't say additional protocols are "needed", but I think that using OAuth or JWT would be the more "secure" (maybe even "correct") way to do this. I mentioned them, but I am not considering implementing them. I am very much a novice and implementing one (or either) of those protocols is something I consider to be far beyond my current skill or knowledge.

But there are plenty of apps (such as Gitea, Ombi, and others) that use header authentication, so it's definitely something that is used in production as long as we do it correctly.