Project rewrite

.github/workflows/python-app.yml

@@ -19,10 +19,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Python 3.10
+    - name: Set up Python 3.12
       uses: actions/setup-python@v3
       with:
-        python-version: "3.10"
+        python-version: "3.12"
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -36,4 +36,4 @@ jobs:
         flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
     - name: Test with unittest
       run: |
-        python -m unittest discover -s tests/ -p '*test*.py'
+        python -m unittest discover -v -s . -p '*test*.py'

.gitignore

@@ -159,3 +159,5 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 pidfile
+flask_session/
+process.pid

.vscode/settings.json

@@ -2,7 +2,7 @@
     "python.testing.unittestArgs": [
         "-v",
         "-s",
-        "./tests",
+        ".",
         "-p",
         "*test*.py"
     ],
@@ -11,6 +11,10 @@
     "[python]": {
         "editor.defaultFormatter": "ms-python.autopep8"
     },
-    "python.formatting.provider": "none",
-    "python.analysis.typeCheckingMode": "basic"
+    "python.analysis.typeCheckingMode": "basic",
+    "docwriter.style": "Google",
+    "docwriter.hotkey.mac": "⌘ + .",
+    "docwriter.progress.trackFunctions": true,
+    "docwriter.progress.trackClasses": true,
+    "docwriter.progress.trackMethods": false
 }

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11
+FROM python:3.12
 
 COPY requirements.txt requirements.txt
 RUN pip install -r requirements.txt
@@ -8,4 +8,4 @@ COPY . .
 
 ENV PATH="$PATH:/app/scripts"
 
-CMD ["server.core" ,"start"]
+CMD ["server.core" ,"start"]

README.md

@@ -21,9 +21,8 @@ services:
         container_name: http-basic-auth-request
         environment:
             - CONFIG_DIR=/config
-            - SETTINGS_PATH=/config/settings.yml
-            - USER_DB_PATH=/config/settings.yml
-            - CACHE_TTL=60
+            - CONFIG_PATH=/config/config.yml
+            - USER_DB_PATH=/config/users.yml
             - LOG_LEVEL=INFO
             - FLASK_SESSION_COOKIE_DOMAIN=.example.com
         volumes:
@@ -51,17 +50,12 @@ Docker environmental variables:
     <td>Any</td>
     <td>/config</td>
   </tr>
+
   <tr>
-    <td>CACHE_TTL</td>
-    <td>Header Cache TTL (seconds) </td>
-    <td>float</td>
-    <td>60</td>
-  </tr>
-  <tr>
-    <td>SETTINGS_PATH</td>
-    <td>Path to settings file</td>
+    <td>CONFIG_PATH</td>
+    <td>Path to config file</td>
     <td>Any</td>
-    <td>${CONFIG_DIR}/settings.yml</td>
+    <td>${CONFIG_DIR}/config.yml</td>
   </tr>
   <tr>
     <td>LOG_LEVEL</td>
@@ -72,7 +66,7 @@ Docker environmental variables:
 
   <tr>
     <td>FLASK_SESSION_COOKIE_DOMAIN</td>
-    <td>Path to settings file</td>
+    <td>Associated cookie domain</td>
     <td>Any</td>
     <td>-</td>
   </tr>
@@ -102,7 +96,4 @@ see [default.yml](examples/default.yml)
 see [auth-request.conf](examples/auth-request.conf)
 and [nginx.conf](examples/nginx.conf)
 
-### Jellyfin
-see [jellyfin.yml](examples/jellyfin.yml)
-
 <p align="right">(<a href="#readme-top">back to top</a>)</p>

examples/default.yml

@@ -1,103 +1,107 @@
-# This is the default configuration file generated on first run
-# Restart the server / docker container after making changes to this file
-
 settings:
   server:
-    host: '0.0.0.0' #listening ip address
-    port: 9999      #listening port
+    host: "0.0.0.0"
+    port: 9999
 
 modules:
-
-  /auth: #i.e. http://localhost:9999/auth or http://localhost:9999/ 
-    mode: local # use local database
-
-    # http authentication parameters
+  /auth: #i.e. http://localhost:9999/auth
+    mode: local
+
     method: basic
     realm: default users
 
+    local:
+      db_path: /config/users.yml
+      allowed_roles:
+      - default
+
   /auth/admin: #i.e. http://localhost:9999/auth/admin
     mode: local
+
     method: basic
     realm: admin users
 
-    # restrict login to the following usernames:
-    users:
+    local:
+      db_path: /config/users.yml
+      allowed_roles:
       - admin
 
+  /auth/local: #i.e. http://localhost:9999/auth
+    mode: local
+
+    method: basic
+    realm: default users
+
+    local:
+      db_path: /config/users.yml
+      allowed_roles:
+      - default
+
+
   /auth/upstream: #i.e. http://localhost:9999/auth/upstream
-    mode: upstream # do the password checking upstream
+    mode: upstream # do the password checking in upstream
 
     method: basic
     realm: upstream users
-    forward_request_headers: false
 
     upstream:
-      # kwargs as follows requests.request() see: https://requests.readthedocs.io/en/latest/api/ 
-      # allow_redirects is set to false by default
-
-      # <<username>> / <<password>> are replaced with user inputs
-
-      method: POST
-      url: https://www.example.com/authenticate
+      url: https://demo.jellyfin.org/stable/Users/authenticatebyname
       data: >-
-        {"Username":"<<username>>","Password":"<<password>>"}
+        {"Username":"<<username>>","Pw":"<<password>>"}
+      # json:
+      #   Username: <<username>>
+      #   Pw: <<password>>
       headers:
         Content-Type: application/json
+        X-Emby-Authorization: MediaBrowser Client="nginx", Device="server", DeviceId="0", Version="1.0.0"
 
         # Forward the following list of request header to upstream server
-        forward_request_headers_list:
-          - X-Forwarded-For
-          - X-Forwarded-Host
-          - X-Forwarded-Method
-          - X-Forwarded-Port
-          - X-Forwarded-Proto
-          - X-Forwarded-Server
-          - X-Forwarded-Ss
-          - X-Forwarded-Uri
-          - X-Original-Method
-          - X-Original-URL
-          - X-Real-IP
-
-      # json:
-      #   Username: <<username>>
-      #   Password: <<password>>
-
-      users:
-        - demo
-
-  /auth/dynamic: #i.e. http://localhost:9999/auth/dynamic
-
-    mode: dynamic # check upstream first if fails check local
+        __forward:
+        - X-Forwarded-For
+        - X-Forwarded-Host
+        - X-Forwarded-Method
+        - X-Forwarded-Port
+        - X-Forwarded-Proto
+        - X-Forwarded-Server
+        - X-Forwarded-Ss
+        - X-Forwarded-Uri
+        - X-Original-Method
+        - X-Original-URL
+        - X-Real-IP
+
+  /auth/dynamic: #i.e. http://localhost:9999/auth/upstream
+    mode: dynamic # do the password checking in upstream
 
     method: basic
-    realm: upstream users
+    realm: dynamic users
 
-    upstream:
-      # kwargs as follows requests.request() see: https://requests.readthedocs.io/en/latest/api/ 
-      # allow_redirects is set to false by default
-
-      # <<username>> / <<password>> are replaced with user inputs
+    local:
+      db_path: /config/users.yml
+      allowed_roles:
+      - admin
+      - default
 
-      method: POST
-      url: https://www.example.com/authenticate
+    upstream:
+      url: https://demo.jellyfin.org/stable/Users/authenticatebyname
       data: >-
-        {"Username":"<<username>>","Password":"<<password>>"}
-      headers:
-        Content-Type: application/json
-
+        {"Username":"<<username>>","Pw":"<<password>>"}
       # json:
       #   Username: <<username>>
-      #   Password: <<password>>
-
-      users:
-        - admin
-        - 
-users:
-  # supported password format
-  # text:plaintext_password
-  # algo:iterations:b64(hash)
-  # algo:iterations:b64(salt):b64(hash)
-
-  #user1: text:password
-  user:  sha256:10000:///////////////////////abc==:8WR8KTAo2P0y9bRMkasWdKxpdBupkNBSLU4X6vz+bSg=
-  admin: sha256:10000:abcdefghijklmnopQRSTUVWXYZ==:UuRV7et/zfAIWowdZswGbCBfArhIheeeVmAXBw7OsWo=
+      #   Pw: <<password>>
+      headers:
+        Content-Type: application/json
+        X-Emby-Authorization: MediaBrowser Client="nginx", Device="server", DeviceId="0", Version="1.0.0"
+
+        # Forward the following list of request header to upstream server
+        __forward:
+        - X-Forwarded-For
+        - X-Forwarded-Host
+        - X-Forwarded-Method
+        - X-Forwarded-Port
+        - X-Forwarded-Proto
+        - X-Forwarded-Server
+        - X-Forwarded-Ss
+        - X-Forwarded-Uri
+        - X-Original-Method
+        - X-Original-URL
+        - X-Real-IP

examples/nginx.conf

@@ -13,10 +13,6 @@ server {
     }
 
     location /protected {
-        auth_request /auth/admins;
-    }
-
-    location /restricted {
-        auth_request /auth/admins?allowed_users=admin1,admin2;
+        auth_request /auth/admin;
     }
 }