Make authentication header name configurable via AUTH_USER_HEADER

[Copilot]

Reverse proxy setups vary in their authentication header conventions (X-User-Email, X-Authenticated-User, X-Remote-User, etc.). The header name was hardcoded, preventing deployment flexibility.

Changes

• Config: Added auth_user_header to AppSettings (default: X-User-Email)
• Middleware: AuthMiddleware now accepts auth_header_name parameter
• Integration: Main app passes config value to middleware
• Documentation: Added AUTH_USER_HEADER to .env.example with common examples

Usage

# Default (no change needed)
# Uses X-User-Email

# Override for different reverse proxy
AUTH_USER_HEADER=X-Authenticated-User

# Apache mod_auth setup
AUTH_USER_HEADER=X-Remote-User

Tests verify custom headers work in both debug and production modes, and that incorrect headers are rejected.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>enable a .env config value to determine the exact header to extract the username from the reverse proxy</issue_title>
<issue_description>make the app more flexible.
different systems have different reverse proxy setups and inject different header keys.
make it so that the header to extract can be configured by a .env var with the current setup as the default. </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes enable a .env config value to determine the exact header to extract the username from the reverse proxy #73

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

• Review all SARIF files uploaded to GitHub Security tab
• Address high and critical severity vulnerabilities immediately
• Run npm audit fix and pip-audit locally to fix dependencies
• Consider implementing additional security controls