akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Add forward auth portal — CPM as built-in IdP replacing Authentik

Browse Source 
CPM can now act as its own forward auth provider for proxied sites.
Users authenticate at a login portal (credentials or OAuth) and Caddy
gates access via a verify subrequest, eliminating the need for external
IdPs like Authentik.

Key components:
- Forward auth flow: verify endpoint, exchange code callback, login portal
- User groups with membership management
- Per-proxy-host access control (users and/or groups)
- Caddy config generation for forward_auth handler + callback route
- OAuth and credential login on the portal page
- Admin UI: groups page, inline user/group assignment in proxy host form
- REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access
- Integration tests for groups and forward auth schema

Also fixes mTLS E2E test selectors broken by the RBAC refactor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-05 22:32:17 +02:00
parent 277ae6e79c
commit 03c8f40417
34 changed files with 2788 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
app/api/v1/proxy-hosts/[id]/forward-auth-access/route.ts Normal file
View File

@@ -0,0 +1,35 @@
import { NextRequest, NextResponse } from "next/server";
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
import {
getForwardAuthAccessForHost,
setForwardAuthAccess
} from "@/src/lib/models/forward-auth";
type Params = { params: Promise<{ id: string }> };
export async function GET(request: NextRequest, { params }: Params) {
try {
await requireApiAdmin(request);
const { id } = await params;
const access = await getForwardAuthAccessForHost(Number(id));
return NextResponse.json(access);
} catch (error) {
return apiErrorResponse(error);
}
}
export async function PUT(request: NextRequest, { params }: Params) {
try {
const { userId } = await requireApiAdmin(request);
const { id } = await params;
const body = await request.json();
const access = await setForwardAuthAccess(
Number(id),
{ userIds: body.userIds, groupIds: body.groupIds },
userId
);
return NextResponse.json(access);
} catch (error) {
return apiErrorResponse(error);
}
}