akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
9940bea058ccfd090d27bd834ba0fcd4e4322d24
caddy-proxy-manager/app/api/forward-auth/verify/route.ts
fuomag9 03c8f40417 Add forward auth portal — CPM as built-in IdP replacing Authentik 
CPM can now act as its own forward auth provider for proxied sites.
Users authenticate at a login portal (credentials or OAuth) and Caddy
gates access via a verify subrequest, eliminating the need for external
IdPs like Authentik.

Key components:
- Forward auth flow: verify endpoint, exchange code callback, login portal
- User groups with membership management
- Per-proxy-host access control (users and/or groups)
- Caddy config generation for forward_auth handler + callback route
- OAuth and credential login on the portal page
- Admin UI: groups page, inline user/group assignment in proxy host form
- REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access
- Integration tests for groups and forward auth schema

Also fixes mTLS E2E test selectors broken by the RBAC refactor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 22:32:17 +02:00

54 lines
1.8 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from "next/server";
import { validateForwardAuthSession, checkHostAccessByDomain } from "@/src/lib/models/forward-auth";
import { getUserById } from "@/src/lib/models/user";
import { getGroupsForUser } from "@/src/lib/models/groups";
const COOKIE_NAME = "_cpm_fa";
/**
* Forward auth verify endpoint — called by Caddy as a subrequest.
* Returns 200 + user headers on success, 401 on failure.
*/
export async function GET(request: NextRequest) {
const token = request.cookies.get(COOKIE_NAME)?.value;
if (!token) {
return new NextResponse(null, { status: 401 });
}
const session = await validateForwardAuthSession(token);
if (!session) {
return new NextResponse(null, { status: 401 });
}
const user = await getUserById(session.userId);
if (!user || user.status !== "active") {
return new NextResponse(null, { status: 401 });
}
// Check host access using X-Forwarded-Host header set by Caddy
const forwardedHost = request.headers.get("x-forwarded-host") ?? request.headers.get("host") ?? "";
if (!forwardedHost) {
return new NextResponse(null, { status: 401 });
}
const { hasAccess } = await checkHostAccessByDomain(session.userId, forwardedHost);
if (!hasAccess) {
return new NextResponse("Forbidden", { status: 403 });
}
// Get user's groups for the header
const userGroups = await getGroupsForUser(session.userId);
const groupNames = userGroups.map((g) => g.name).join(",");
// Return 200 with user info headers that Caddy will copy to upstream
return new NextResponse(null, {
status: 200,
headers: {
"X-CPM-User": user.name ?? user.email.split("@")[0],
"X-CPM-Email": user.email,
"X-CPM-Groups": groupNames,
"X-CPM-User-Id": String(user.id)
}
});
}
Reference in New Issue View Git Blame Copy Permalink