Allow admin as default role and viewer as passed header for proxy auth

2026-04-27 17:17:40 +03:00 · 2025-06-26 13:51:58 -05:00 · 2025-06-26 13:51:58 -05:00 · 23850c2e96
commit 23850c2e96
parent e8044fb4a1
1 changed files with 11 additions and 9 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -33,6 +33,7 @@ from frigate.models import User
 logger = logging.getLogger(__name__)

 router = APIRouter(tags=[Tags.auth])
+VALID_ROLES = ["admin", "viewer"]


 class RateLimiter:
@ -272,12 +273,13 @@ def auth(request: Request):
            else proxy_config.default_role
        )

-        # if comma-separated with "admin", use "admin", else use default role
-        success_response.headers["remote-role"] = (
-            "admin"
-            if role
-            and "admin" in [r.strip() for r in role.split(proxy_config.separator)]
-            else proxy_config.default_role
+        # if comma-separated with "admin", use "admin",
+        # if comma-separated with "viewer", use "viewer",
+        # else use default role
+
+        roles = [r.strip() for r in role.split(proxy_config.separator)] if role else []
+        success_response.headers["remote-role"] = next(
+            (r for r in VALID_ROLES if r in roles), proxy_config.default_role
        )

        return success_response
@ -402,7 +404,7 @@ def login(request: Request, body: AppPostLoginBody):
    password_hash = db_user.password_hash
    if verify_password(password, password_hash):
        role = getattr(db_user, "role", "viewer")
-        if role not in ["admin", "viewer"]:
+        if role not in VALID_ROLES:
            role = "viewer"  # Enforce valid roles
        expiration = int(time.time()) + JWT_SESSION_LENGTH
        encoded_jwt = create_encoded_jwt(user, role, expiration, request.app.jwt_token)
@ -432,7 +434,7 @@ def create_user(
    if not re.match("^[A-Za-z0-9._]+$", body.username):
        return JSONResponse(content={"message": "Invalid username"}, status_code=400)

-    role = body.role if body.role in ["admin", "viewer"] else "viewer"
+    role = body.role if body.role in VALID_ROLES else "viewer"
    password_hash = hash_password(body.password, iterations=HASH_ITERATIONS)
    User.insert(
        {
@ -503,7 +505,7 @@ async def update_role(
        return JSONResponse(
            content={"message": "Cannot modify admin user's role"}, status_code=403
        )
-    if body.role not in ["admin", "viewer"]:
+    if body.role not in VALID_ROLES:
        return JSONResponse(
            content={"message": "Role must be 'admin' or 'viewer'"}, status_code=400
        )