github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-22 09:32:36 -05:00
Code Issues 959 Packages Projects Releases 74 Wiki Activity

[PR #807] [MERGED] send user data to badger when authenticated #11129

New Issue
Closed
opened 2026-05-06 15:47:20 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 15:47:20 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/807
Author: @pyrho
Created: 5/30/2025
Status: Merged
Merged: 6/4/2025
Merged by: @miloschwartz

Base: devHead: feat/auth-header

📝 Commits (1)

  • c5e37c1 send user data to badger when authenticated

📊 Changes

1 file changed (+36 additions, -16 deletions)

View changed files

📝 server/routers/badger/verifySession.ts (+36 -16)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

tl;dr;
Add Remote-User, Remote-Name and Remote-Email headers to the upstream service request.

Why ?

Some applications accept headers to authenticate users, Pangolin has access to this information and can simply forward some basic user information.
See for example Paperless-ngx.

See also:

Changes to Pangolin

This PR introduces simple changes to the response sent to the badger middleware on the /verify-session route; namely the username, name and email (see BasicUserData).

Note that the new user info data is only sent when the user is authenticated via SSO. I guess it could be added to other means of authentication (PIN, email, ...), but would require additional DB calls, and is perhaps better overall planning of the feature.

Changes to Badger

For this to work, we also need to make small changes within badger. The following diff enables the functionality:

diff --git a/main.go b/main.go
index 2d37c34..6f87772 100644
--- a/main.go
+++ b/main.go
@@ -40,6 +40,9 @@ type VerifyResponse struct {
 	Data struct {
 		Valid           bool              `json:"valid"`
 		RedirectURL     *string           `json:"redirectUrl"`
+		Username        *string           `json:"username,omitempty"`
+		Email           *string           `json:"email,omitempty"`
+		Name            *string           `json:"name,omitempty"`
 		ResponseHeaders map[string]string `json:"responseHeaders,omitempty"`
 	} `json:"data"`
 }
@@ -204,6 +207,19 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	if result.Data.Valid {
+
+		if result.Data.Username != nil {
+			req.Header.Add("Remote-User", *result.Data.Username)
+		}
+
+		if result.Data.Email != nil {
+			req.Header.Add("Remote-Email", *result.Data.Email)
+		}
+
+		if result.Data.Name != nil {
+			req.Header.Add("Remote-Name", *result.Data.Name)
+		}
+
 		fmt.Println("Badger: Valid session")
 		p.next.ServeHTTP(rw, req)
 		return

A testing middleware has been published to Traefik catalog and can be tested by replacing the Badger middleware with my patched version.

The patched middleware code is available in my hard fork or Badger.

This can be done by modifying the config/traefik/traefik_config.yml file

experimental:
  plugins:
    badger:
      #moduleName: github.com/fosrl/badger
      #version: v1.1.0
      moduleName: github.com/pyrho/badgerheaders
      version: v0.0.12

Limitations

As mentioned, this will only work when login in via Pangolin SSO (not PIN, nor resource password, nor email link).

Additionally, it seems like the server admin account only has an email. If you need the username and name, you will have to login with an Org user instead.

How to test?

Using Pangolin, proxy to a resource serving the echo docker image to https://echo.my.tld, secure it with SSO, open https://echo.my.tld, login in with Pangolin's SSO and see the headers.

CleanShot 2025-05-30 at 21 08 55@2x

I'm currently running this, and it serves my needs.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/807 **Author:** [@pyrho](https://github.com/pyrho) **Created:** 5/30/2025 **Status:** ✅ Merged **Merged:** 6/4/2025 **Merged by:** [@miloschwartz](https://github.com/miloschwartz) **Base:** `dev` ← **Head:** `feat/auth-header` --- ### 📝 Commits (1) - [`c5e37c1`](https://github.com/fosrl/pangolin/commit/c5e37c1608a2d1ed00b3304a986f6796aaec7380) send user data to badger when authenticated ### 📊 Changes **1 file changed** (+36 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `server/routers/badger/verifySession.ts` (+36 -16) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description **tl;dr;** Add `Remote-User`, `Remote-Name` and `Remote-Email` headers to the upstream service request. ### Why ? Some applications accept headers to authenticate users, Pangolin has access to this information and can simply forward some basic user information. See for example [Paperless-ngx](https://docs.paperless-ngx.com/configuration/#PAPERLESS_ENABLE_HTTP_REMOTE_USER). See also: - user [@radh21301](https://github.com/radh21301)'s [list of apps here](https://github.com/orgs/fosrl/discussions/791) - [this broader proposal](https://github.com/orgs/fosrl/discussions/455) to set custom headers per resources. ### Changes to Pangolin This PR introduces simple changes to the response sent to the badger middleware on the `/verify-session` route; namely the username, name and email (see `BasicUserData`). Note that the new user info data is only sent when the user is authenticated via SSO. I guess it could be added to other means of authentication (PIN, email, ...), but would require additional DB calls, and is perhaps better overall planning of the feature. ### Changes to Badger For this to work, we also need to make small changes within badger. The following diff enables the functionality: ```diff diff --git a/main.go b/main.go index 2d37c34..6f87772 100644 --- a/main.go +++ b/main.go @@ -40,6 +40,9 @@ type VerifyResponse struct { Data struct { Valid bool `json:"valid"` RedirectURL *string `json:"redirectUrl"` + Username *string `json:"username,omitempty"` + Email *string `json:"email,omitempty"` + Name *string `json:"name,omitempty"` ResponseHeaders map[string]string `json:"responseHeaders,omitempty"` } `json:"data"` } @@ -204,6 +207,19 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) { } if result.Data.Valid { + + if result.Data.Username != nil { + req.Header.Add("Remote-User", *result.Data.Username) + } + + if result.Data.Email != nil { + req.Header.Add("Remote-Email", *result.Data.Email) + } + + if result.Data.Name != nil { + req.Header.Add("Remote-Name", *result.Data.Name) + } + fmt.Println("Badger: Valid session") p.next.ServeHTTP(rw, req) return ``` A testing middleware has been published to Traefik catalog and can be tested by replacing the Badger middleware with my patched version. The patched middleware code is available [in my hard fork](github.com/pyrho/badgerheaders) or Badger. This can be done by modifying the `config/traefik/traefik_config.yml` file ```yaml experimental: plugins: badger: #moduleName: github.com/fosrl/badger #version: v1.1.0 moduleName: github.com/pyrho/badgerheaders version: v0.0.12 ``` ## Limitations As mentioned, this will only work when login in via Pangolin SSO (not PIN, nor resource password, nor email link). Additionally, it seems like the server admin account only has an `email`. If you need the username and name, you will have to login with an Org user instead. ## How to test? Using Pangolin, proxy to a resource serving the [echo docker image](https://code.mendhak.com/docker-http-https-echo/) to `https://echo.my.tld`, secure it with SSO, open `https://echo.my.tld`, login in with Pangolin's SSO and see the headers. ![CleanShot 2025-05-30 at 21 08 55@2x](https://github.com/user-attachments/assets/35d227a7-a254-49e3-805f-8d86fb398024) I'm currently running this, and it serves my needs. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 15:47:20 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#11129
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?