github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-15 19:31:21 -05:00
Code Issues 94 Packages Projects Releases 48 Wiki Activity

[PR #1522] [MERGED] Feature HTTP Basic Authentication support #226 #937 #1110

New Issue
Closed
opened 2025-11-13 12:18:26 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-13 12:18:26 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/1522
Author: @jln-brtn
Created: 9/22/2025
Status: Merged
Merged: 10/6/2025
Merged by: @oschwartz10612

Base: mainHead: feature-header-authentication

📝 Commits (6)

📊 Changes

17 files changed (+596 additions, -49 deletions)

View changed files

📝 messages/en-US.json (+17 -3)
📝 server/auth/actions.ts (+1 -1)
📝 server/db/pg/schema.ts (+9 -0)
📝 server/db/queries/verifySessionQueries.ts (+9 -1)
📝 server/db/sqlite/schema.ts (+11 -0)
📝 server/lib/blueprints/proxyResources.ts (+52 -2)
📝 server/lib/blueprints/types.ts (+4 -0)
📝 server/routers/badger/verifySession.ts (+71 -33)
📝 server/routers/external.ts (+7 -0)
📝 server/routers/integration.ts (+9 -3)
📝 server/routers/private/hybrid.ts (+10 -2)
📝 server/routers/resource/getResourceAuthInfo.ts (+26 -2)
📝 server/routers/resource/index.ts (+1 -0)
server/routers/resource/setResourceHeaderAuth.ts (+101 -0)
📝 src/app/[orgId]/settings/resources/[niceId]/authentication/page.tsx (+81 -2)
📝 src/components/PermissionsSelectBox.tsx (+1 -0)
src/components/SetResourceHeaderAuthForm.tsx (+186 -0)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content.

Description

This feature introduces support for the 'Basic' HTTP Authentication Scheme (RFC 7617) to allow access to a protected resource. As described in #226 and #937, the primary goal is to provide an alternative to Pangolin's standard SSO authentication, which requires user interaction with a graphical interface. Supporting header-based authentication enables third-party systems and headless clients to bypass the interactive login flow by providing credentials directly in the request header.

Currently, when an unauthenticated user tries to access a resource managed by Pangolin (e.g., a Jellyfin server at https://play.example.com), they are redirected to a login page. This flow is incompatible with headless clients, such as the Jellyfin mobile application, which cannot render the web login page.

The existing workaround involves creating filtering rules to allow specific URL paths to bypass authentication. This approach is insecure, as it exposes endpoints publicly, and brittle, as it requires maintaining an exhaustive list of all necessary API routes.

This feature allows users to enable Basic Authentication for a resource through the management interface. When configuring the resource, the user can add header-based authentication by specifying a username and password.

CleanShot 2025-09-22 at 17 46 55 CleanShot 2025-09-22 at 17 51 52

Once configured, a client can authenticate by embedding the credentials in the URL (e.g., https://user:password@play.example.com) or by providing them in the Authorization header. Pangolin will identify and validate these credentials, allowing the request to proceed to the backend resource without any GUI interaction.

CleanShot 2025-09-22 at 17 53 15

How to test?

  • Navigate to the management UI and edit a resource.
  • Enable the new "Header Authentication" option.
  • Enter a desired username and password and save the configuration.
  • Send a request to the resource's URL using cURL with the correct credentials: curl -u "username:password" https://play.example.com. The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned.
  • Send a request with incorrect credentials: curl -u "username:wrongpassword" https://play.example.com. The request should be redirected to the standard pangolin login page.
  • Send a request without credentials from a new browser session. The request should be redirected to the traditional pangolin login.
  • Remove the "Header Authentication" option and send a request with the correct credentials. The request should be redirected to the traditional pangolin login.

Points of attention

While it's my first contribution to this project, some minor point should be check :

  • I've modified the database by adding a table. The schema.ts have been modified, from both pg and sqlite. Anything to do for migration ? (not familiar with drizzle)
  • verify-session method have been modified. Have I placed it correctly in order to maintain consistency with other validations (such as rules, for example) ?
  • I used cache in order to speed up verification (due to the hashing function), is any security issue ? I think the cache is a major factor because a non-cached authentication took 40 ms locally, whereas with the cache it took 12 ms.

Huge thanks to @AstralDestiny which help me to set up the local development environment

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/1522 **Author:** [@jln-brtn](https://github.com/jln-brtn) **Created:** 9/22/2025 **Status:** ✅ Merged **Merged:** 10/6/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `feature-header-authentication` --- ### 📝 Commits (6) - [`850e9a7`](https://github.com/fosrl/pangolin/commit/850e9a734ad243ac968a0109d34a3ee89f09770f) Adding HTTP Header Authentication - [`6105eea`](https://github.com/fosrl/pangolin/commit/6105eea7a9261c5771fdd52a0ca9faf1920804b7) Fix rebase - [`23f05d7`](https://github.com/fosrl/pangolin/commit/23f05d7f4e9be48bbe37450b1d54b5d674cfe7f2) Add translations to EN - [`2c46a37`](https://github.com/fosrl/pangolin/commit/2c46a37a5322948e6cd37aec78da61c0f13eddc3) Include in hybrid - [`e121dd0`](https://github.com/fosrl/pangolin/commit/e121dd0d1d4c2d10cb8262008a7878ff7043c912) Add to blueprints - [`5a3bf2f`](https://github.com/fosrl/pangolin/commit/5a3bf2f7585da09358b329baf6bb878a79a80d48) Fix import issue ### 📊 Changes **17 files changed** (+596 additions, -49 deletions) <details> <summary>View changed files</summary> 📝 `messages/en-US.json` (+17 -3) 📝 `server/auth/actions.ts` (+1 -1) 📝 `server/db/pg/schema.ts` (+9 -0) 📝 `server/db/queries/verifySessionQueries.ts` (+9 -1) 📝 `server/db/sqlite/schema.ts` (+11 -0) 📝 `server/lib/blueprints/proxyResources.ts` (+52 -2) 📝 `server/lib/blueprints/types.ts` (+4 -0) 📝 `server/routers/badger/verifySession.ts` (+71 -33) 📝 `server/routers/external.ts` (+7 -0) 📝 `server/routers/integration.ts` (+9 -3) 📝 `server/routers/private/hybrid.ts` (+10 -2) 📝 `server/routers/resource/getResourceAuthInfo.ts` (+26 -2) 📝 `server/routers/resource/index.ts` (+1 -0) ➕ `server/routers/resource/setResourceHeaderAuth.ts` (+101 -0) 📝 `src/app/[orgId]/settings/resources/[niceId]/authentication/page.tsx` (+81 -2) 📝 `src/components/PermissionsSelectBox.tsx` (+1 -0) ➕ `src/components/SetResourceHeaderAuthForm.tsx` (+186 -0) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description This feature introduces support for the 'Basic' HTTP Authentication Scheme ([RFC 7617](https://www.rfc-editor.org/rfc/rfc7617)) to allow access to a protected resource. As described in #226 and #937, the primary goal is to provide an alternative to Pangolin's standard SSO authentication, which requires user interaction with a graphical interface. Supporting header-based authentication enables third-party systems and headless clients to bypass the interactive login flow by providing credentials directly in the request header. Currently, when an unauthenticated user tries to access a resource managed by Pangolin (e.g., a Jellyfin server at https://play.example.com), they are redirected to a login page. This flow is incompatible with headless clients, such as the Jellyfin mobile application, which cannot render the web login page. The existing workaround involves creating filtering rules to allow specific URL paths to bypass authentication. This approach is insecure, as it exposes endpoints publicly, and brittle, as it requires maintaining an exhaustive list of all necessary API routes. This feature allows users to enable Basic Authentication for a resource through the management interface. When configuring the resource, the user can add header-based authentication by specifying a username and password. <img width="1522" height="818" alt="CleanShot 2025-09-22 at 17 46 55" src="https://github.com/user-attachments/assets/58a41b19-1167-4336-9ce2-1d540ecd019e" /> <img width="1522" height="818" alt="CleanShot 2025-09-22 at 17 51 52" src="https://github.com/user-attachments/assets/3893fd4f-710d-4cbe-8b44-b404634d13aa" /> Once configured, a client can authenticate by embedding the credentials in the URL (e.g., https://user:password@play.example.com) or by providing them in the Authorization header. Pangolin will identify and validate these credentials, allowing the request to proceed to the backend resource without any GUI interaction. <img width="1624" height="1091" alt="CleanShot 2025-09-22 at 17 53 15" src="https://github.com/user-attachments/assets/be0e1140-d8f6-477e-8f7e-06a83ebb4770" /> ## How to test? * Navigate to the management UI and edit a resource. * Enable the new "Header Authentication" option. * Enter a desired username and password and save the configuration. * Send a request to the resource's URL using cURL with the correct credentials: `curl -u "username:password" https://play.example.com`. The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned. * Send a request with incorrect credentials: `curl -u "username:wrongpassword" https://play.example.com`. The request should be redirected to the standard pangolin login page. * Send a request without credentials from a new browser session. The request should be redirected to the traditional pangolin login. * Remove the "Header Authentication" option and send a request with the correct credentials. The request should be redirected to the traditional pangolin login. ## Points of attention While it's my first contribution to this project, some minor point should be check : * I've modified the database by adding a table. The schema.ts have been modified, from both pg and sqlite. Anything to do for migration ? (not familiar with drizzle) * verify-session method have been modified. Have I placed it correctly in order to maintain consistency with other validations (such as rules, for example) ? * I used cache in order to speed up verification (due to the hashing function), is any security issue ? I think the cache is a major factor because a non-cached authentication took 40 ms locally, whereas with the cache it took 12 ms. _Huge thanks to @AstralDestiny which help me to set up the local development environment_ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-13 12:18:26 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1110
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?