Move forward auth under /admin/api/forward

2025-09-02 15:03:39 -06:00
parent cbf6223d4b
commit dd20e7e7f8
4 changed files with 22 additions and 23 deletions
--- a/passkey/fastapi/api.py
+++ b/passkey/fastapi/api.py
@@ -47,6 +47,23 @@ async def validate_token(perm=Query(None), auth=Cookie(None)):
    return {"valid": True, "user_uuid": str(s.user_uuid)}


+@app.get("/forward")
+async def forward_authentication(perm=Query(None), auth=Cookie(None)):
+    """Forward auth validation for Caddy/Nginx (moved from /auth/forward-auth).
+
+    Query Params:
+    - perm: repeated permission IDs the authenticated user must possess (ALL required).
+
+    Success: 204 No Content with x-auth-user-uuid header.
+    Failure (unauthenticated / unauthorized): 4xx JSON body with detail.
+    """
+    try:
+        s = await authz.verify(auth, perm)
+        return Response(status_code=204, headers={"x-auth-user-uuid": str(s.user_uuid)})
+    except HTTPException as e:  # pass through explicitly
+        raise e
+
+
@app.get("/settings")
 async def get_settings():
    pk = global_passkey.instance
--- a/passkey/fastapi/mainapp.py
+++ b/passkey/fastapi/mainapp.py
@@ -3,13 +3,13 @@ import os
 from contextlib import asynccontextmanager
 from pathlib import Path

-from fastapi import Cookie, FastAPI, HTTPException, Query, Request, Response
+from fastapi import FastAPI, HTTPException, Request
 from fastapi.responses import FileResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles

 from passkey.util import passphrase

-from . import admin, api, authz, ws
+from . import admin, api, ws

 STATIC_DIR = Path(__file__).parent.parent / "frontend-build"

@@ -75,22 +75,4 @@ async def reset_authentication(request: Request, reset: str):
    return RedirectResponse(request.url_for("frontend", reset=reset), status_code=303)


-@app.get("/auth/forward-auth")
-async def forward_authentication(request: Request, perm=Query(None), auth=Cookie(None)):
-    """A validation endpoint to use with Caddy forward_auth or Nginx auth_request.
-
-    Query Params:
-    - perm: repeated permission IDs the authenticated user must possess (ALL required).
-
-    Success: 204 No Content with x-auth-user-uuid header.
-    Failure (unauthenticated / unauthorized): 4xx with index.html body so the
-    client (reverse proxy or browser) can initiate auth flow.
-    """
-    try:
-        s = await authz.verify(auth, perm)
-        return Response(
-            status_code=204,
-            headers={"x-auth-user-uuid": str(s.user_uuid)},
-        )
-    except HTTPException as e:
-        return FileResponse(STATIC_DIR / "index.html", e.status_code)
+## forward-auth endpoint moved to /auth/api/forward in api.py