Allow authentication via HTTP_REMOTE_USER

2025-04-02 13:45:10 -05:00 · 2021-01-03 00:37:19 -08:00 · 2021-01-03 00:37:19 -08:00 · 7b56ad9dad
commit 7b56ad9dad
parent db4b621631
4 changed files with 39 additions and 6 deletions
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -162,6 +162,12 @@ PAPERLESS_COOKIE_PREFIX=<str>

    Defaults to ``""``, which does not alter the cookie names.

+PAPERLESS_ENABLE_HTTP_REMOTE_USER=<bool>
+    Allows authentication via HTTP_REMOTE_USER which is used by some SSO
+    applications.
+
+    Defaults to `false` which disables this feature.
+
 .. _configuration-ocr:

 OCR settings
--- a/paperless.conf.example
+++ b/paperless.conf.example
@ -31,6 +31,7 @@
 #PAPERLESS_STATIC_URL=/static/
 #PAPERLESS_AUTO_LOGIN_USERNAME=
 #PAPERLESS_COOKIE_PREFIX=
+#PAPERLESS_ENABLE_HTTP_REMOTE_USER=false

 # OCR settings

--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@ -2,6 +2,7 @@ from django.conf import settings
 from django.contrib.auth.models import User
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
+from rest_framework import exceptions


 class AutoLoginMiddleware(MiddlewareMixin):
@ -26,3 +27,21 @@ class AngularApiAuthenticationOverride(authentication.BaseAuthentication):
            return (user, None)
        else:
            return None
+
+
+class HttpRemoteUserAuthentication(authentication.BaseAuthentication):
+    """ This class allows authentication via HTTP_REMOTE_USER which is set for
+        example by certain SSO applications.
+    """
+
+    def authenticate(self, request):
+        username = request.META.get('HTTP_REMOTE_USER')
+        if not username:
+            return None
+
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            raise exceptions.AuthenticationFailed('No such user')
+
+        return (user, None)
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@ -112,6 +112,13 @@ if DEBUG:
        'paperless.auth.AngularApiAuthenticationOverride'
    )

+ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER")
+
+if ENABLE_HTTP_REMOTE_USER:
+    REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
+        'paperless.auth.HttpRemoteUserAuthentication'
+    )
+
 MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'whitenoise.middleware.WhiteNoiseMiddleware',