Merge pull request #677 from skuzzle/dev

Add the possibility to customize the remote user header name

docs/configuration.rst

@@ -192,7 +192,17 @@ PAPERLESS_ENABLE_HTTP_REMOTE_USER=<bool>
     applications.
 
     Defaults to `false` which disables this feature.
-
+    
+PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=<str>
+    If `PAPERLESS_ENABLE_HTTP_REMOTE_USER` is enabled, this property allows to 
+    customize the name of the HTTP header from which the authenticated username 
+    is extracted. Values are in terms of
+    [HttpRequest.META](https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpRequest.META).
+    Thus, the configured value must start with `HTTP_` followed by the 
+    normalized actual header name.
+    
+    Defaults to `HTTP_REMOTE_USER`.
+    
 .. _configuration-ocr:
 
 OCR settings

src/documents/tests/test_auth.py

@@ -0,0 +1,66 @@
+from django.contrib.auth.models import User
+from django.test import override_settings, Client, modify_settings, TestCase
+
+
+class TestRemoteUserAuthentication(TestCase):
+
+    def test_no_remote_user_auth(self):
+        client = Client()
+
+        response = client.get("/api/documents/")
+        self.assertEqual(response.status_code, 401)
+
+        response = client.get("/api/documents/", HTTP_REMOTE_USER="someone")
+        self.assertEqual(response.status_code, 401)
+
+        response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone")
+        self.assertEqual(response.status_code, 401)
+
+    @modify_settings(
+        MIDDLEWARE={
+            'append': 'paperless.auth.HttpRemoteUserMiddleware'
+        },
+        AUTHENTICATION_BACKENDS={
+            'prepend': 'django.contrib.auth.backends.RemoteUserBackend'
+        }
+    )
+    def test_standard_remote_user_auth(self):
+        client = Client()
+
+        response = client.get("/api/documents/")
+        self.assertEqual(response.status_code, 401)
+
+        response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone")
+        self.assertEqual(response.status_code, 401)
+
+        self.assertFalse(User.objects.filter(username="someone").exists())
+
+        response = client.get("/api/documents/", HTTP_REMOTE_USER="someone")
+        self.assertEqual(response.status_code, 200)
+
+        self.assertTrue(User.objects.filter(username="someone").exists())
+
+    @modify_settings(
+        MIDDLEWARE={
+            'append': 'paperless.auth.HttpRemoteUserMiddleware'
+        },
+        AUTHENTICATION_BACKENDS={
+            'prepend': 'django.contrib.auth.backends.RemoteUserBackend'
+        }
+    )
+    @override_settings(HTTP_REMOTE_USER_HEADER_NAME="HTTP_X_FORWARDED_USER")
+    def test_custom_remote_user_auth(self):
+        client = Client()
+
+        response = client.get("/api/documents/")
+        self.assertEqual(response.status_code, 401)
+
+        response = client.get("/api/documents/", HTTP_REMOTE_USER="someone")
+        self.assertEqual(response.status_code, 401)
+
+        self.assertFalse(User.objects.filter(username="someone").exists())
+
+        response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone")
+        self.assertEqual(response.status_code, 200)
+
+        self.assertTrue(User.objects.filter(username="someone").exists())

src/paperless/auth.py

@@ -33,5 +33,4 @@ class HttpRemoteUserMiddleware(RemoteUserMiddleware):
     """ This class allows authentication via HTTP_REMOTE_USER which is set for
         example by certain SSO applications.
     """
-
-    header = 'HTTP_REMOTE_USER'
+    header = settings.HTTP_REMOTE_USER_HEADER_NAME

src/paperless/settings.py

@@ -189,6 +189,7 @@ if AUTO_LOGIN_USERNAME:
     MIDDLEWARE.insert(_index+1, 'paperless.auth.AutoLoginMiddleware')
 
 ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER")
+HTTP_REMOTE_USER_HEADER_NAME = os.getenv("PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME", "HTTP_REMOTE_USER")
 
 if ENABLE_HTTP_REMOTE_USER:
     MIDDLEWARE.append(