You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are various authorizing reverse proxies. Here are two examples: https://github.com/oauth2-proxy/oauth2-proxy https://github.com/Jipok/Jauth
They take care of authentication, authorization, registration, etc. They are easy to support for the developer - all that is needed is to process the configured header(most often this is Remote-User or X-Forwarded-User) where the username is specified. They are also convenient for the user, since there is no need to remember/store extra login/password pairs, provide a single entry point for their own services and increase security.
I'm not good at coding in js, but I was able to implement a simple way that works for me:
Just one change in:
returnres.status(200).send('Refresh token not provided');
}
constrefreshController=async(req,res)=>{constrefreshToken=req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;// Handle Remote-User from auth proxyif(!refreshToken&&process.env.FORWARD_AUTH_HEADER){letforwardedUserNameconstheaderName=process.env.FORWARD_AUTH_HEADER.toLowerCase()if(req.headers.hasOwnProperty(headerName)){forwardedUserName=req.headers[headerName];}else{returnres.status(500).send('FORWARD_AUTH_HEADER('+headerName+') not provided');}// If user doesn't exist, register themletuser=awaitUser.findOne({username: forwardedUserName},'_id').lean();if(!user){//determine if this is the first registered user (not counting anonymous_user)constisFirstRegisteredUser=(awaitUser.countDocuments({}))===0;constnewUser=awaitnewUser({provider: 'local',email: forwardedUserName+'@local.none',password: crypto.randomBytes(Math.ceil(10)).toString('hex'),name: forwardedUserName,username: forwardedUserName,avatar: null,role: isFirstRegisteredUser ? 'ADMIN' : 'USER',});constsalt=bcrypt.genSaltSync(10);consthash=bcrypt.hashSync(newUser.password,salt);newUser.password=hash;awaitnewUser.save();}user=awaitUser.findOne({username: forwardedUserName},'_id').lean();consttoken=awaitsetAuthTokens(user._id,res);returnres.status(200).send({ token, user });}if(!refreshToken){returnres.status(200).send('Refresh token not provided');}
...
I understand that this code hardly corresponds to the complex architecture of the project. But it works for me and I hope someone can implement it correctly. The changes that really need to be made are resetting the jwt token if it is expired/incorrect so that the code can issue a new one automatically instead of showing the user the login page.
What features would you like to see added?
Option
FORWARD_AUTH_HEADER
More details
There are various authorizing reverse proxies. Here are two examples:
https://github.com/oauth2-proxy/oauth2-proxy
https://github.com/Jipok/Jauth
They take care of authentication, authorization, registration, etc. They are easy to support for the developer - all that is needed is to process the configured header(most often this is
Remote-User
orX-Forwarded-User
) where the username is specified. They are also convenient for the user, since there is no need to remember/store extra login/password pairs, provide a single entry point for their own services and increase security.I'm not good at coding in js, but I was able to implement a simple way that works for me:
Just one change in:
LibreChat/api/server/controllers/AuthController.js
Lines 72 to 77 in dd8038b
I understand that this code hardly corresponds to the complex architecture of the project. But it works for me and I hope someone can implement it correctly. The changes that really need to be made are resetting the jwt token if it is expired/incorrect so that the code can issue a new one automatically instead of showing the user the login page.
Documentation example: https://support.getgrist.com/install/forwarded-headers/#forwarded-headers
Which components are impacted by your request?
Endpoints
Pictures
screencast.mp4
Code of Conduct
The text was updated successfully, but these errors were encountered: