[PR #1285] auth: Add trusted header authentication with IP allowlist #1232

New issue

Open

opened 2026-02-27 09:11:25 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 09:11:25 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/1285
Author: @Kumpelinus
Created: 9/13/2025
Status: 🔄 Open

Base: main ← Head: trusted-headers

📝 Commits (1)

662dfab auth: Add trusted header authentication with IP allowlist

📊 Changes

10 files changed (+399 additions, -12 deletions)

View changed files

📝 Cargo.lock (+1 -0)
📝 app/src/infra/api.rs (+13 -2)
📝 crates/auth/src/lib.rs (+15 -0)
📝 lldap_config.docker_template.toml (+19 -0)
📝 server/Cargo.toml (+1 -0)
📝 server/src/auth_service.rs (+233 -5)
📝 server/src/cli.rs (+23 -0)
📝 server/src/configuration.rs (+46 -1)
📝 server/src/graphql_server.rs (+40 -3)
📝 server/src/tcp_server.rs (+8 -1)

📄 Description

Add support for trusted header authentication that allows users to be authenticated via HTTP headers (e.g., from reverse proxies like Authelia, Authentik, or Traefik ForwardAuth).

This implementation provides a tokenless authentication flow that works alongside the existing JWT-based authentication:

Mutually exclusive authentication: When a trusted header is present, it takes precedence over JWT authentication in GraphQL requests
IP allowlist security: Only requests from configured trusted proxy IP addresses/networks are allowed to use header authentication
Configurable options: Header name, logout URL, and trusted proxy networks are all configurable

Configuration options:

trusted_header_options.enabled - Enable/disable the feature
trusted_header_options.header_name - Header containing username (default: "Remote-User")
trusted_header_options.logout_url - Optional logout redirect URL
trusted_header_options.trusted_proxies - IP addresses/CIDR networks allowed to send trusted headers (default: localhost only)

The existing username/password login remains available as fallback when trusted headers are not present.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/1285 **Author:** [@Kumpelinus](https://github.com/Kumpelinus) **Created:** 9/13/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `trusted-headers` --- ### 📝 Commits (1) - [`662dfab`](https://github.com/lldap/lldap/commit/662dfabc39e7501575f6ce3cddd6ab95f3d1898b) auth: Add trusted header authentication with IP allowlist ### 📊 Changes **10 files changed** (+399 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+1 -0) 📝 `app/src/infra/api.rs` (+13 -2) 📝 `crates/auth/src/lib.rs` (+15 -0) 📝 `lldap_config.docker_template.toml` (+19 -0) 📝 `server/Cargo.toml` (+1 -0) 📝 `server/src/auth_service.rs` (+233 -5) 📝 `server/src/cli.rs` (+23 -0) 📝 `server/src/configuration.rs` (+46 -1) 📝 `server/src/graphql_server.rs` (+40 -3) 📝 `server/src/tcp_server.rs` (+8 -1) </details> ### 📄 Description Add support for **trusted header authentication** that allows users to be authenticated via HTTP headers (e.g., from reverse proxies like Authelia, Authentik, or Traefik ForwardAuth). This implementation provides a **tokenless authentication flow** that works alongside the existing JWT-based authentication: * **Mutually exclusive authentication**: When a trusted header is present, it takes precedence over JWT authentication in GraphQL requests * **IP allowlist security**: Only requests from configured trusted proxy IP addresses/networks are allowed to use header authentication * **Configurable options**: Header name, logout URL, and trusted proxy networks are all configurable **Configuration options:** - `trusted_header_options.enabled` - Enable/disable the feature - `trusted_header_options.header_name` - Header containing username (default: "Remote-User") - `trusted_header_options.logout_url` - Optional logout redirect URL - `trusted_header_options.trusted_proxies` - IP addresses/CIDR networks allowed to send trusted headers (default: localhost only) The existing username/password login remains available as fallback when trusted headers are not present. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>