Squashed commit of the following:

commit b5a751005850115c84fd8fddb83f32a52835a422 Author: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Sat Nov 8 13:54:22 2025 +0100 Update ProxyHostsClient.tsx commit c93b3898c31b9c206fba74605dad5a578e326ce4 Author: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Sat Nov 8 13:43:00 2025 +0100 test-protected-paths
2025-11-08 13:55:23 +01:00
parent dc8e5e262f
commit b17ae54fbd
4 changed files with 120 additions and 16 deletions
@@ -68,6 +68,7 @@ type ProxyHostAuthentikMeta = {
  copy_headers?: string[];
  trusted_proxies?: string[];
  set_outpost_host_header?: boolean;
+  protected_paths?: string[];
 };

 type AuthentikRouteConfig = {
@@ -78,6 +79,7 @@ type AuthentikRouteConfig = {
  copyHeaders: string[];
  trustedProxies: string[];
  setOutpostHostHeader: boolean;
+  protectedPaths: string[] | null;
 };

 type RedirectHostRow = {
@@ -494,22 +496,75 @@ function buildProxyRoutes(
        forwardAuthHandler.trusted_proxies = trustedProxies;
      }

-      handlers.push(forwardAuthHandler);
+      // Path-based authentication support
+      if (authentik.protectedPaths && authentik.protectedPaths.length > 0) {
+        // Create separate routes for each protected path
+        for (const protectedPath of authentik.protectedPaths) {
+          const protectedHandlers: Record<string, unknown>[] = [...handlers];
+          const protectedReverseProxy = JSON.parse(JSON.stringify(reverseProxyHandler));
+
+          protectedHandlers.push(forwardAuthHandler);
+          protectedHandlers.push(protectedReverseProxy);
+
+          hostRoutes.push({
+            match: [
+              {
+                host: domains,
+                path: [protectedPath]
+              }
+            ],
+            handle: protectedHandlers,
+            terminal: true
+          });
+        }
+
+        // Create a catch-all route for non-protected paths (without forward auth)
+        const unprotectedHandlers: Record<string, unknown>[] = [...handlers];
+        unprotectedHandlers.push(reverseProxyHandler);
+
+        hostRoutes.push({
+          match: [
+            {
+              host: domains
+            }
+          ],
+          handle: unprotectedHandlers,
+          terminal: true
+        });
+      } else {
+        // No path-based protection: protect entire domain (backward compatibility)
+        handlers.push(forwardAuthHandler);
+        handlers.push(reverseProxyHandler);
+
+        const route: CaddyHttpRoute = {
+          match: [
+            {
+              host: domains
+            }
+          ],
+          handle: handlers,
+          terminal: true
+        };
+
+        hostRoutes.push(route);
+      }
+    } else {
+      // No Authentik: standard reverse proxy
+      handlers.push(reverseProxyHandler);
+
+      const route: CaddyHttpRoute = {
+        match: [
+          {
+            host: domains
+          }
+        ],
+        handle: handlers,
+        terminal: true
+      };
+
+      hostRoutes.push(route);
    }

-    handlers.push(reverseProxyHandler);
-
-    const route: CaddyHttpRoute = {
-      match: [
-        {
-          host: domains
-        }
-      ],
-      handle: handlers,
-      terminal: true
-    };
-
-    hostRoutes.push(route);
    routes.push(...hostRoutes);
  }

@@ -960,6 +1015,11 @@ function parseAuthentikConfig(meta: ProxyHostAuthentikMeta | undefined | null):
  const setOutpostHostHeader =
    meta.set_outpost_host_header !== undefined ? Boolean(meta.set_outpost_host_header) : true;

+  const protectedPaths =
+    Array.isArray(meta.protected_paths) && meta.protected_paths.length > 0
+      ? meta.protected_paths.map((path) => path?.trim()).filter((path): path is string => Boolean(path))
+      : null;
+
  return {
    enabled: true,
    outpostDomain,
@@ -967,6 +1027,7 @@ function parseAuthentikConfig(meta: ProxyHostAuthentikMeta | undefined | null):
    authEndpoint,
    copyHeaders,
    trustedProxies,
-    setOutpostHostHeader
+    setOutpostHostHeader,
+    protectedPaths
  };
 }