From dd20e7e7f88cc25885c5e3824a760b795dfa3a50 Mon Sep 17 00:00:00 2001 From: Leo Vasanko Date: Tue, 2 Sep 2025 15:03:39 -0600 Subject: [PATCH] Move forward auth under /admin/api/forward --- API.md | 2 +- Caddyfile | 2 +- passkey/fastapi/api.py | 17 +++++++++++++++++ passkey/fastapi/mainapp.py | 24 +++--------------------- 4 files changed, 22 insertions(+), 23 deletions(-) diff --git a/API.md b/API.md index ba70477..78c48d9 100644 --- a/API.md +++ b/API.md @@ -8,7 +8,7 @@ This document describes all API endpoints available in the PassKey Auth FastAPI ### HTTP Endpoints GET /auth/ - Main authentication app -GET /auth/forward-auth - Authentication validation for Caddy/Nginx +GET /auth/api/forward - Authentication validation for Caddy/Nginx (was /auth/forward-auth) POST /auth/validate - Token validation endpoint POST /auth/user-info - Get authenticated user information POST /auth/logout - Logout current user diff --git a/Caddyfile b/Caddyfile index 63094a3..323dd09 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,7 +1,7 @@ (auth) { # Permission check (named arg: perm=...) forward_auth localhost:4401 { - uri /auth/forward-auth?{args.0} + uri /auth/api/forward?{args.0} copy_headers x-auth-* } } diff --git a/passkey/fastapi/api.py b/passkey/fastapi/api.py index a5ccfd4..aa37770 100644 --- a/passkey/fastapi/api.py +++ b/passkey/fastapi/api.py @@ -47,6 +47,23 @@ async def validate_token(perm=Query(None), auth=Cookie(None)): return {"valid": True, "user_uuid": str(s.user_uuid)} +@app.get("/forward") +async def forward_authentication(perm=Query(None), auth=Cookie(None)): + """Forward auth validation for Caddy/Nginx (moved from /auth/forward-auth). + + Query Params: + - perm: repeated permission IDs the authenticated user must possess (ALL required). + + Success: 204 No Content with x-auth-user-uuid header. + Failure (unauthenticated / unauthorized): 4xx JSON body with detail. + """ + try: + s = await authz.verify(auth, perm) + return Response(status_code=204, headers={"x-auth-user-uuid": str(s.user_uuid)}) + except HTTPException as e: # pass through explicitly + raise e + + @app.get("/settings") async def get_settings(): pk = global_passkey.instance diff --git a/passkey/fastapi/mainapp.py b/passkey/fastapi/mainapp.py index 6908f6b..ef68aaa 100644 --- a/passkey/fastapi/mainapp.py +++ b/passkey/fastapi/mainapp.py @@ -3,13 +3,13 @@ import os from contextlib import asynccontextmanager from pathlib import Path -from fastapi import Cookie, FastAPI, HTTPException, Query, Request, Response +from fastapi import FastAPI, HTTPException, Request from fastapi.responses import FileResponse, RedirectResponse from fastapi.staticfiles import StaticFiles from passkey.util import passphrase -from . import admin, api, authz, ws +from . import admin, api, ws STATIC_DIR = Path(__file__).parent.parent / "frontend-build" @@ -75,22 +75,4 @@ async def reset_authentication(request: Request, reset: str): return RedirectResponse(request.url_for("frontend", reset=reset), status_code=303) -@app.get("/auth/forward-auth") -async def forward_authentication(request: Request, perm=Query(None), auth=Cookie(None)): - """A validation endpoint to use with Caddy forward_auth or Nginx auth_request. - - Query Params: - - perm: repeated permission IDs the authenticated user must possess (ALL required). - - Success: 204 No Content with x-auth-user-uuid header. - Failure (unauthenticated / unauthorized): 4xx with index.html body so the - client (reverse proxy or browser) can initiate auth flow. - """ - try: - s = await authz.verify(auth, perm) - return Response( - status_code=204, - headers={"x-auth-user-uuid": str(s.user_uuid)}, - ) - except HTTPException as e: - return FileResponse(STATIC_DIR / "index.html", e.status_code) +## forward-auth endpoint moved to /auth/api/forward in api.py