You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This allows CORS requests to go through the proxy provider forward auth "plan" (not sure if this is the right word), fixing XHR and fetch requests, as well as WebSockets when the forward auth plan needs to be ran again.
I'm not really familiar with this codebase and I don't do much front end web dev, so there may be issues (including security vulnerabilities) introduced by this. Please review this carefully and assume that I don't know what I'm doing.
I've tested this patch against a branch based off of the latest release, and I have it working with Radarr, an app that uses credentialed XMLHTTPRequests and SignalR over WebSockets. It's working great, and renewing the proxy cookie is 100% transparent to me as a user. Note that I have only tested with Envoy/Istio. I don't have (or plan on having) traefik, caddy, or nginx deployed as a reverse proxy, so I'll be unable to test the changes that are specific to these reverse proxies.
One new requirement of this is that front-end application requests must set XMLHTTPRequest.withCredentials = true. Without this, the browser won't send the authentik session cookie to the authentik callback endpoint, making authentik think that every request needs to go through the application's configured auth flow. This needs to be set even if the application otherwise does not use credentials for these requests. I don't think that there is a way around this with how forward auth is handled with the proxy cookie. I'm not sure where to document this.
❌ Patch coverage is 78.94737% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.57%. Comparing base (9e4b609) to head (c10de2e). ⚠️ Report is 27 commits behind head on main.
I'm aware code coverage is lacking. I'll add tests when/if this gets a first pass review. Running tests in this project locally is pretty difficult and time consuming, so I don't really want to put in this work if the actual code change needs a major rework.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Details
This allows CORS requests to go through the proxy provider forward auth "plan" (not sure if this is the right word), fixing XHR and fetch requests, as well as WebSockets when the forward auth plan needs to be ran again.
I'm not really familiar with this codebase and I don't do much front end web dev, so there may be issues (including security vulnerabilities) introduced by this. Please review this carefully and assume that I don't know what I'm doing.
I've tested this patch against a branch based off of the latest release, and I have it working with Radarr, an app that uses credentialed XMLHTTPRequests and SignalR over WebSockets. It's working great, and renewing the proxy cookie is 100% transparent to me as a user. Note that I have only tested with Envoy/Istio. I don't have (or plan on having) traefik, caddy, or nginx deployed as a reverse proxy, so I'll be unable to test the changes that are specific to these reverse proxies.
One new requirement of this is that front-end application requests must set
XMLHTTPRequest.withCredentials = true. Without this, the browser won't send the authentik session cookie to the authentik callback endpoint, making authentik think that every request needs to go through the application's configured auth flow. This needs to be set even if the application otherwise does not use credentials for these requests. I don't think that there is a way around this with how forward auth is handled with the proxy cookie. I'm not sure where to document this.Closes #10057
Checklist
ak test authentik/) - These take like an hour to run locally. If they're not ran automatically in CI then I'll run them overnight.make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
XMLHTTPRequest.withCredentials = truemake docs)