mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 14:47:04 -05:00
[PR #2676] feat: header token authentication to bypass SSO for API access #3102
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/fosrl/pangolin/pull/2676
Author: @crisidev
Created: 3/19/2026
Status: 🔄 Open
Base:
main← Head:main📝 Commits (3)
fb7847fadd header token auth to bypass SSO for API accessdf27ee0Merge branch 'fosrl:main' into main78cfc2aFix indentation bug📊 Changes
26 files changed (+1378 additions, -152 deletions)
View changed files
📝
messages/en-US.json(+30 -0)📝
server/auth/actions.ts(+3 -0)➕
server/auth/verifyHeaderToken.ts(+48 -0)📝
server/db/pg/schema/schema.ts(+17 -1)📝
server/db/sqlite/schema/schema.ts(+17 -1)📝
server/middlewares/index.ts(+1 -0)📝
server/middlewares/verifyAccessTokenAccess.ts(+5 -141)➕
server/middlewares/verifyHeaderTokenAccess.ts(+6 -0)➕
server/middlewares/verifyTokenResourceAccess.ts(+159 -0)📝
server/openApi.ts(+1 -0)📝
server/routers/badger/logRequestAudit.ts(+1 -0)📝
server/routers/badger/verifySession.ts(+45 -3)📝
server/routers/external.ts(+27 -0)➕
server/routers/headerToken/deleteHeaderToken.ts(+72 -0)➕
server/routers/headerToken/generateHeaderToken.ts(+148 -0)➕
server/routers/headerToken/index.ts(+3 -0)➕
server/routers/headerToken/listHeaderTokens.ts(+89 -0)📝
server/routers/resource/getResourceAuthInfo.ts(+4 -1)📝
server/routers/resource/updateResource.ts(+11 -1)📝
server/setup/clearStaleData.ts(+15 -1)...and 6 more files
📄 Description
Community Contribution License Agreement
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.
Description
Adds a new per-resource authentication method that allows clients to bypass SSO by sending a secret token in a custom HTTP header. This is designed for programmatic access: CI/CD pipelines, monitoring tools, webhooks, and other integrations that can't go through browser-based auth.
X-Pangolin-Token) in the authentication settingsverifySessionchecks the header before falling through to SSO, with a 5-second local cache keyed by hash(not raw token)
verifyAccessTokenAccessandverifyHeaderTokenAccessinto a sharedverifyTokenResourceAccessfactory, removing ~140 lines of duplication
clearStaleDatawith proper NULL-safe handling for never-expiring tokenscopy-to-clipboard, and delete
How to test?
curl -H "X-Pangolin-Token: <token>"Notes
This is tested only on my setup with sqlite. I kinda winged the postgresql migrations..
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.