Add excluded paths support for forward auth (fixes #108)

Allow users to exclude specific paths from Authentik/CPM forward auth protection. When excluded_paths is set, all paths require authentication EXCEPT the excluded ones — useful for apps like Navidrome that need /share/* and /rest/* to bypass auth. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 10:11:24 +02:00
parent 390840dbd9
commit 8f4c24119e
8 changed files with 376 additions and 6 deletions
--- a/src/components/proxy-hosts/AuthentikFields.tsx
+++ b/src/components/proxy-hosts/AuthentikFields.tsx
@@ -162,6 +162,19 @@ export function AuthentikFields({
                                Leave empty to protect entire domain. Specify paths to protect specific routes only.
                            </p>
                        </div>
+                        <div>
+                            <label className="text-sm font-medium mb-1 block">Excluded Paths (Optional)</label>
+                            <Textarea
+                                name="authentik_excluded_paths"
+                                placeholder="/share/*, /rest/*"
+                                defaultValue={initial?.excludedPaths?.join(", ") ?? ""}
+                                disabled={!enabled}
+                                rows={2}
+                            />
+                            <p className="text-xs text-muted-foreground mt-1">
+                                Paths to exclude from authentication. These paths will bypass forward auth while all other paths remain protected. Ignored if Protected Paths is set.
+                            </p>
+                        </div>
                        <HiddenCheckboxField
                            name="authentik_set_host_header"
                            defaultChecked={setHostHeaderDefault}
--- a/src/components/proxy-hosts/CpmForwardAuthFields.tsx
+++ b/src/components/proxy-hosts/CpmForwardAuthFields.tsx
@@ -99,6 +99,19 @@ export function CpmForwardAuthFields({
                                Leave empty to protect entire domain. Comma-separated paths to protect specific routes only.
                            </p>
                        </div>
+                        <div>
+                            <label className="text-sm font-medium mb-1 block">Excluded Paths (Optional)</label>
+                            <Textarea
+                                name="cpm_forward_auth_excluded_paths"
+                                placeholder="/share/*, /rest/*"
+                                defaultValue={initial?.excluded_paths?.join(", ") ?? ""}
+                                disabled={!enabled}
+                                rows={2}
+                            />
+                            <p className="text-xs text-muted-foreground mt-1">
+                                Paths to exclude from authentication. These paths will bypass forward auth while all other paths remain protected. Ignored if Protected Paths is set.
+                            </p>
+                        </div>

                        {/* Allowed Groups */}
                        {groups.length > 0 && (