Move forward auth under /admin/api/forward

2025-09-02 15:03:39 -06:00 · 2025-09-02 15:03:39 -06:00 · dd20e7e7f8
commit dd20e7e7f8
parent cbf6223d4b
4 changed files with 22 additions and 23 deletions
--- a/API.md
+++ b/API.md
@ -8,7 +8,7 @@ This document describes all API endpoints available in the PassKey Auth FastAPI

 ### HTTP Endpoints
 GET /auth/ - Main authentication app
-GET /auth/forward-auth - Authentication validation for Caddy/Nginx
+GET /auth/api/forward - Authentication validation for Caddy/Nginx (was /auth/forward-auth)
 POST /auth/validate - Token validation endpoint
 POST /auth/user-info - Get authenticated user information
 POST /auth/logout - Logout current user
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 (auth) {
 	# Permission check (named arg: perm=...)
 	forward_auth localhost:4401 {
-		uri /auth/forward-auth?{args.0}
+		uri /auth/api/forward?{args.0}
 		copy_headers x-auth-*
 	}
 }
--- a/passkey/fastapi/api.py
+++ b/passkey/fastapi/api.py
@ -47,6 +47,23 @@ async def validate_token(perm=Query(None), auth=Cookie(None)):
    return {"valid": True, "user_uuid": str(s.user_uuid)}


+@app.get("/forward")
+async def forward_authentication(perm=Query(None), auth=Cookie(None)):
+    """Forward auth validation for Caddy/Nginx (moved from /auth/forward-auth).
+
+    Query Params:
+    - perm: repeated permission IDs the authenticated user must possess (ALL required).
+
+    Success: 204 No Content with x-auth-user-uuid header.
+    Failure (unauthenticated / unauthorized): 4xx JSON body with detail.
+    """
+    try:
+        s = await authz.verify(auth, perm)
+        return Response(status_code=204, headers={"x-auth-user-uuid": str(s.user_uuid)})
+    except HTTPException as e:  # pass through explicitly
+        raise e
+
+
@app.get("/settings")
 async def get_settings():
    pk = global_passkey.instance
--- a/passkey/fastapi/mainapp.py
+++ b/passkey/fastapi/mainapp.py
@ -3,13 +3,13 @@ import os
 from contextlib import asynccontextmanager
 from pathlib import Path

-from fastapi import Cookie, FastAPI, HTTPException, Query, Request, Response
+from fastapi import FastAPI, HTTPException, Request
 from fastapi.responses import FileResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles

 from passkey.util import passphrase

-from . import admin, api, authz, ws
+from . import admin, api, ws

 STATIC_DIR = Path(__file__).parent.parent / "frontend-build"

@ -75,22 +75,4 @@ async def reset_authentication(request: Request, reset: str):
    return RedirectResponse(request.url_for("frontend", reset=reset), status_code=303)


-@app.get("/auth/forward-auth")
-async def forward_authentication(request: Request, perm=Query(None), auth=Cookie(None)):
-    """A validation endpoint to use with Caddy forward_auth or Nginx auth_request.
-
-    Query Params:
-    - perm: repeated permission IDs the authenticated user must possess (ALL required).
-
-    Success: 204 No Content with x-auth-user-uuid header.
-    Failure (unauthenticated / unauthorized): 4xx with index.html body so the
-    client (reverse proxy or browser) can initiate auth flow.
-    """
-    try:
-        s = await authz.verify(auth, perm)
-        return Response(
-            status_code=204,
-            headers={"x-auth-user-uuid": str(s.user_uuid)},
-        )
-    except HTTPException as e:
-        return FileResponse(STATIC_DIR / "index.html", e.status_code)
+## forward-auth endpoint moved to /auth/api/forward in api.py