caddy-proxy-manager

akanealw/caddy-proxy-manager

Fork 0

Commit Graph

Author	SHA1	Message	Date
fuomag9	8f4c24119e	Add excluded paths support for forward auth (fixes #108 ) Allow users to exclude specific paths from Authentik/CPM forward auth protection. When excluded_paths is set, all paths require authentication EXCEPT the excluded ones — useful for apps like Navidrome that need /share/* and /rest/* to bypass auth. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-17 10:11:35 +02:00
fuomag9	3a16d6e9b1	Replace next-auth with Better Auth, migrate DB columns to camelCase - Replace next-auth v5 beta with better-auth v1.6.2 (stable releases) - Add multi-provider OAuth support with admin UI configuration - New oauthProviders table with encrypted secrets (AES-256-GCM) - Env var bootstrap (OAUTH_) syncs to DB, UI-created providers fully editable - OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers - Settings page "Authentication Providers" section for admin management - Account linking uses new accounts table (multi-provider per user) - Username plugin for credentials sign-in (replaces email@localhost pattern) - bcrypt password compatibility (existing hashes work) - Database-backed sessions via Kysely adapter (bun:sqlite direct) - Configurable rate limiting via AUTH_RATE_LIMIT_ env vars - All DB columns migrated from snake_case to camelCase - All TypeScript types/models migrated to camelCase properties - Removed casing: "snake_case" from Drizzle config - Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId} - package-lock.json removed and gitignored (using bun.lock) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-12 21:11:48 +02:00
fuomag9	03c8f40417	Add forward auth portal — CPM as built-in IdP replacing Authentik CPM can now act as its own forward auth provider for proxied sites. Users authenticate at a login portal (credentials or OAuth) and Caddy gates access via a verify subrequest, eliminating the need for external IdPs like Authentik. Key components: - Forward auth flow: verify endpoint, exchange code callback, login portal - User groups with membership management - Per-proxy-host access control (users and/or groups) - Caddy config generation for forward_auth handler + callback route - OAuth and credential login on the portal page - Admin UI: groups page, inline user/group assignment in proxy host form - REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access - Integration tests for groups and forward auth schema Also fixes mTLS E2E test selectors broken by the RBAC refactor. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-05 22:32:17 +02:00

Author

SHA1

Message

Date

fuomag9

8f4c24119e

Add excluded paths support for forward auth (fixes #108 )

Allow users to exclude specific paths from Authentik/CPM forward auth
protection. When excluded_paths is set, all paths require authentication
EXCEPT the excluded ones — useful for apps like Navidrome that need
/share/* and /rest/* to bypass auth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-17 10:11:35 +02:00

fuomag9

3a16d6e9b1

Replace next-auth with Better Auth, migrate DB columns to camelCase

- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases)
- Add multi-provider OAuth support with admin UI configuration
- New oauthProviders table with encrypted secrets (AES-256-GCM)
- Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable
- OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers
- Settings page "Authentication Providers" section for admin management
- Account linking uses new accounts table (multi-provider per user)
- Username plugin for credentials sign-in (replaces email@localhost pattern)
- bcrypt password compatibility (existing hashes work)
- Database-backed sessions via Kysely adapter (bun:sqlite direct)
- Configurable rate limiting via AUTH_RATE_LIMIT_* env vars
- All DB columns migrated from snake_case to camelCase
- All TypeScript types/models migrated to camelCase properties
- Removed casing: "snake_case" from Drizzle config
- Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId}
- package-lock.json removed and gitignored (using bun.lock)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-12 21:11:48 +02:00

fuomag9

03c8f40417

Add forward auth portal — CPM as built-in IdP replacing Authentik

CPM can now act as its own forward auth provider for proxied sites.
Users authenticate at a login portal (credentials or OAuth) and Caddy
gates access via a verify subrequest, eliminating the need for external
IdPs like Authentik.

Key components:
- Forward auth flow: verify endpoint, exchange code callback, login portal
- User groups with membership management
- Per-proxy-host access control (users and/or groups)
- Caddy config generation for forward_auth handler + callback route
- OAuth and credential login on the portal page
- Admin UI: groups page, inline user/group assignment in proxy host form
- REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access
- Integration tests for groups and forward auth schema

Also fixes mTLS E2E test selectors broken by the RBAC refactor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-05 22:32:17 +02:00

3 Commits