From 23850c2e966295769ea1c791c4694d680165e191 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Thu, 26 Jun 2025 13:51:58 -0500
Subject: [PATCH] Allow admin as default role and viewer as passed header for
 proxy auth

---
 frigate/api/auth.py | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index db12c04bb..6577f9c23 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -33,6 +33,7 @@ from frigate.models import User
 logger = logging.getLogger(__name__)
 
 router = APIRouter(tags=[Tags.auth])
+VALID_ROLES = ["admin", "viewer"]
 
 
 class RateLimiter:
@@ -272,12 +273,13 @@ def auth(request: Request):
             else proxy_config.default_role
         )
 
-        # if comma-separated with "admin", use "admin", else use default role
-        success_response.headers["remote-role"] = (
-            "admin"
-            if role
-            and "admin" in [r.strip() for r in role.split(proxy_config.separator)]
-            else proxy_config.default_role
+        # if comma-separated with "admin", use "admin",
+        # if comma-separated with "viewer", use "viewer",
+        # else use default role
+
+        roles = [r.strip() for r in role.split(proxy_config.separator)] if role else []
+        success_response.headers["remote-role"] = next(
+            (r for r in VALID_ROLES if r in roles), proxy_config.default_role
         )
 
         return success_response
@@ -402,7 +404,7 @@ def login(request: Request, body: AppPostLoginBody):
     password_hash = db_user.password_hash
     if verify_password(password, password_hash):
         role = getattr(db_user, "role", "viewer")
-        if role not in ["admin", "viewer"]:
+        if role not in VALID_ROLES:
             role = "viewer"  # Enforce valid roles
         expiration = int(time.time()) + JWT_SESSION_LENGTH
         encoded_jwt = create_encoded_jwt(user, role, expiration, request.app.jwt_token)
@@ -432,7 +434,7 @@ def create_user(
     if not re.match("^[A-Za-z0-9._]+$", body.username):
         return JSONResponse(content={"message": "Invalid username"}, status_code=400)
 
-    role = body.role if body.role in ["admin", "viewer"] else "viewer"
+    role = body.role if body.role in VALID_ROLES else "viewer"
     password_hash = hash_password(body.password, iterations=HASH_ITERATIONS)
     User.insert(
         {
@@ -503,7 +505,7 @@ async def update_role(
         return JSONResponse(
             content={"message": "Cannot modify admin user's role"}, status_code=403
         )
-    if body.role not in ["admin", "viewer"]:
+    if body.role not in VALID_ROLES:
         return JSONResponse(
             content={"message": "Role must be 'admin' or 'viewer'"}, status_code=400
         )