akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Add forward auth portal — CPM as built-in IdP replacing Authentik

Browse Source 
CPM can now act as its own forward auth provider for proxied sites.
Users authenticate at a login portal (credentials or OAuth) and Caddy
gates access via a verify subrequest, eliminating the need for external
IdPs like Authentik.

Key components:
- Forward auth flow: verify endpoint, exchange code callback, login portal
- User groups with membership management
- Per-proxy-host access control (users and/or groups)
- Caddy config generation for forward_auth handler + callback route
- OAuth and credential login on the portal page
- Admin UI: groups page, inline user/group assignment in proxy host form
- REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access
- Integration tests for groups and forward auth schema

Also fixes mTLS E2E test selectors broken by the RBAC refactor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-05 22:32:17 +02:00
parent 277ae6e79c
commit 03c8f40417
34 changed files with 2788 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tests/helpers/proxy-api.ts
View File

@@ -101,13 +101,17 @@ export async function createProxyHost(page: Page, config: ProxyHostConfig): Prom
await mtlsCard.scrollIntoViewIfNeeded();
await mtlsCard.getByRole('switch').click();
await expect(page.getByText(/trusted client ca certificates/i)).toBeVisible({ timeout: 10_000 });
await expect(page.getByText(/trusted certificates/i)).toBeVisible({ timeout: 10_000 });
// Check each CA certificate by label
// Click each CA group header to select all issued certs from that CA
for (const caName of config.mtlsCaNames) {
await page.getByLabel(caName, { exact: true }).check();
const caLabel = page.locator('label').filter({ hasText: caName });
await caLabel.scrollIntoViewIfNeeded();
await caLabel.click();
}
await expect(page.locator('input[name="mtls_ca_cert_id"]')).toHaveCount(config.mtlsCaNames.length);
// Verify at least one cert was selected (each CA group selects its certs)
const certInputs = page.locator('input[name="mtls_cert_id"]');
await expect(certInputs.first()).toBeAttached({ timeout: 5_000 });
}
// Inject hidden fields: