akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Add forward auth portal — CPM as built-in IdP replacing Authentik

Browse Source 
CPM can now act as its own forward auth provider for proxied sites.
Users authenticate at a login portal (credentials or OAuth) and Caddy
gates access via a verify subrequest, eliminating the need for external
IdPs like Authentik.

Key components:
- Forward auth flow: verify endpoint, exchange code callback, login portal
- User groups with membership management
- Per-proxy-host access control (users and/or groups)
- Caddy config generation for forward_auth handler + callback route
- OAuth and credential login on the portal page
- Admin UI: groups page, inline user/group assignment in proxy host form
- REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access
- Integration tests for groups and forward auth schema

Also fixes mTLS E2E test selectors broken by the RBAC refactor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-05 22:32:17 +02:00
parent 277ae6e79c
commit 03c8f40417
34 changed files with 2788 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
app/api/forward-auth/callback/route.ts Normal file
View File

@@ -0,0 +1,37 @@
import { NextRequest, NextResponse } from "next/server";
import { redeemExchangeCode } from "@/src/lib/models/forward-auth";
const COOKIE_NAME = "_cpm_fa";
const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
/**
* Forward auth callback — redeems an exchange code and sets the session cookie.
* Caddy routes /.cpm-auth/callback on proxied domains to this endpoint.
*/
export async function GET(request: NextRequest) {
const code = request.nextUrl.searchParams.get("code");
if (!code) {
return new NextResponse("Missing code parameter", { status: 400 });
}
const result = await redeemExchangeCode(code);
if (!result) {
return new NextResponse(
"Invalid or expired authorization code. Please try logging in again.",
{ status: 401 }
);
}
// Redirect back to original URL with the session cookie set
const response = NextResponse.redirect(result.redirectUri, 302);
response.cookies.set(COOKIE_NAME, result.rawSessionToken, {
path: "/",
httpOnly: true,
secure: true,
sameSite: "lax",
maxAge: COOKIE_MAX_AGE
});
return response;
}