Add forward auth portal — CPM as built-in IdP replacing Authentik

CPM can now act as its own forward auth provider for proxied sites. Users authenticate at a login portal (credentials or OAuth) and Caddy gates access via a verify subrequest, eliminating the need for external IdPs like Authentik. Key components: - Forward auth flow: verify endpoint, exchange code callback, login portal - User groups with membership management - Per-proxy-host access control (users and/or groups) - Caddy config generation for forward_auth handler + callback route - OAuth and credential login on the portal page - Admin UI: groups page, inline user/group assignment in proxy host form - REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access - Integration tests for groups and forward auth schema Also fixes mTLS E2E test selectors broken by the RBAC refactor. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 22:32:17 +02:00
parent 277ae6e79c
commit 03c8f40417
34 changed files with 2788 additions and 11 deletions
--- a/app/api/forward-auth/verify/route.ts
+++ b/app/api/forward-auth/verify/route.ts
@@ -0,0 +1,53 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateForwardAuthSession, checkHostAccessByDomain } from "@/src/lib/models/forward-auth";
+import { getUserById } from "@/src/lib/models/user";
+import { getGroupsForUser } from "@/src/lib/models/groups";
+
+const COOKIE_NAME = "_cpm_fa";
+
+/**
+ * Forward auth verify endpoint — called by Caddy as a subrequest.
+ * Returns 200 + user headers on success, 401 on failure.
+ */
+export async function GET(request: NextRequest) {
+  const token = request.cookies.get(COOKIE_NAME)?.value;
+  if (!token) {
+    return new NextResponse(null, { status: 401 });
+  }
+
+  const session = await validateForwardAuthSession(token);
+  if (!session) {
+    return new NextResponse(null, { status: 401 });
+  }
+
+  const user = await getUserById(session.userId);
+  if (!user || user.status !== "active") {
+    return new NextResponse(null, { status: 401 });
+  }
+
+  // Check host access using X-Forwarded-Host header set by Caddy
+  const forwardedHost = request.headers.get("x-forwarded-host") ?? request.headers.get("host") ?? "";
+  if (!forwardedHost) {
+    return new NextResponse(null, { status: 401 });
+  }
+
+  const { hasAccess } = await checkHostAccessByDomain(session.userId, forwardedHost);
+  if (!hasAccess) {
+    return new NextResponse("Forbidden", { status: 403 });
+  }
+
+  // Get user's groups for the header
+  const userGroups = await getGroupsForUser(session.userId);
+  const groupNames = userGroups.map((g) => g.name).join(",");
+
+  // Return 200 with user info headers that Caddy will copy to upstream
+  return new NextResponse(null, {
+    status: 200,
+    headers: {
+      "X-CPM-User": user.name ?? user.email.split("@")[0],
+      "X-CPM-Email": user.email,
+      "X-CPM-Groups": groupNames,
+      "X-CPM-User-Id": String(user.id)
+    }
+  });
+}