administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2025-12-18 19:16:42 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

consider anonymous user authenticated (#21335)
Some checks are pending
CI / AMD64 Build (push) Waiting to run
Details
CI / ARM Build (push) Waiting to run
Details
CI / Jetson Jetpack 6 (push) Waiting to run
Details
CI / AMD64 Extra Build (push) Blocked by required conditions
Details
CI / ARM Extra Build (push) Blocked by required conditions
Details
CI / Synaptics Build (push) Blocked by required conditions
Details
CI / Assemble and push default build (push) Blocked by required conditions
Details

Browse Source 
* consider anonymous user authenticated

* simplify and update comments
This commit is contained in:
Blake Blackshear 2025-12-17 08:01:20 -06:00 committed by GitHub
parent 78eace258e
commit 3edfd905de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
frigate/api/auth.py
View File

@ -143,17 +143,6 @@ def require_admin_by_default():
return admin_checker return admin_checker
def _is_authenticated(request: Request) -> bool:
"""
Helper to determine if a request is from an authenticated user.
Returns True if the request has a valid authenticated user (not anonymous).
Port 5000 internal requests are considered anonymous despite having admin role.
"""
username = request.headers.get("remote-user")
return username is not None and username != "anonymous"
def allow_public(): def allow_public():
""" """
Override dependency to allow unauthenticated access to an endpoint. Override dependency to allow unauthenticated access to an endpoint.
@ -173,27 +162,24 @@ def allow_public():
def allow_any_authenticated(): def allow_any_authenticated():
""" """
Override dependency to allow any authenticated user (bypass admin requirement). Override dependency to allow any request that passed through the /auth endpoint.
Allows: Allows:
- Port 5000 internal requests (have admin role despite anonymous user) - Port 5000 internal requests (remote-user: "anonymous", remote-role: "admin")
- Any authenticated user with a real username (not "anonymous") - Authenticated users with JWT tokens (remote-user: username)
- Unauthenticated requests when auth is disabled (remote-user: "anonymous")
Rejects: Rejects:
- Port 8971 requests with anonymous user (auth disabled, no proxy auth) - Requests with no remote-user header (did not pass through /auth endpoint)
Example: Example:
@router.get("/authenticated-endpoint", dependencies=[Depends(allow_any_authenticated())]) @router.get("/authenticated-endpoint", dependencies=[Depends(allow_any_authenticated())])
""" """
async def auth_checker(request: Request): async def auth_checker(request: Request):
# Port 5000 requests have admin role and should be allowed # Ensure a remote-user has been set by the /auth endpoint
role = request.headers.get("remote-role") username = request.headers.get("remote-user")
if role == "admin": if username is None:
return
# Otherwise require a real authenticated user (not anonymous)
if not _is_authenticated(request):
raise HTTPException(status_code=401, detail="Authentication required") raise HTTPException(status_code=401, detail="Authentication required")
return return