Add auto-registration when using http_auth (#3003)

* Add auto-registration when using http_auth

* Document HTTP auth auto-registration

* Check email variable for HTTP auth auto-registration

* Auto-create HTTP users by default

* Fix Context init

(I will provide in another PR a better fix requiring a bit of global refactoring)

* Init language

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

app/Models/Auth.php

@@ -47,8 +47,8 @@ class FreshRSS_Auth {
 	 * @return boolean true if user can be connected, false else.
 	 */
 	private static function accessControl() {
-		$conf = Minz_Configuration::get('system');
-		$auth_type = $conf->auth_type;
+		FreshRSS_Context::$system_conf = Minz_Configuration::get('system');
+		$auth_type = FreshRSS_Context::$system_conf->auth_type;
 		switch ($auth_type) {
 		case 'form':
 			$credentials = FreshRSS_FormAuth::getCredentialsFromCookie();
@@ -62,7 +62,22 @@ class FreshRSS_Auth {
 			return $current_user != '';
 		case 'http_auth':
 			$current_user = httpAuthUser();
-			$login_ok = $current_user != '' && FreshRSS_UserDAO::exists($current_user);
+			if ($current_user == '') {
+				return false;
+			}
+			$login_ok = FreshRSS_UserDAO::exists($current_user);
+			if (!$login_ok && FreshRSS_Context::$system_conf->http_auth_auto_register) {
+				$email = null;
+				if (FreshRSS_Context::$system_conf->http_auth_auto_register_email_field !== '' &&
+					isset($_SERVER[FreshRSS_Context::$system_conf->http_auth_auto_register_email_field])) {
+					$email = $_SERVER[FreshRSS_Context::$system_conf->http_auth_auto_register_email_field];
+				}
+				$language = Minz_Translate::getLanguage(null, Minz_Request::getPreferredLanguages(), FreshRSS_Context::$system_conf->language);
+				Minz_Translate::init($language);
+				$login_ok = FreshRSS_user_Controller::createUser($current_user, $email, '', [
+					'language' => $language,
+				]);
+			}
 			if ($login_ok) {
 				Minz_Session::_param('currentUser', $current_user);
 				Minz_Session::_param('csrf');

config.default.php

@@ -55,6 +55,13 @@ return array(
 	#		and in particular not protect `/FreshRSS/p/api/` if you would like to use the API (different login system).
 	'auth_type' => 'form',
 
+	# When using http_auth, automatically register any unknown user
+	'http_auth_auto_register' => true,
+
+	# Optionally, you can specify the $_SERVER key containing the email address used when registering
+	# the user (e.g. REMOTE_USER_EMAIL).
+	'http_auth_auto_register_email_field' => '',
+
 	# Allow or not the use of the API, used for mobile apps.
 	#	End-point is https://freshrss.example.net/api/greader.php
 	#	You need to set the user's API password.
@@ -102,7 +109,7 @@ return array(
 		# Max number of categories for a user.
 		'max_categories' => 16384,
 
-		# Max number of accounts that anonymous users can create
+		# Max number of accounts that anonymous users can create (only for Web form login type)
 		#   0 for an unlimited number of accounts
 		#   1 is to not allow user registrations (1 is corresponding to the admin account)
 		'max_registrations' => 1,

docs/en/admins/09_AccessControl.md

@@ -1,10 +1,10 @@
 # Access Control
 
-FreshRSS offers three methods of Access control: Form Authentication using Javascript, HTTP based Authentication, or an uncontrolled state with no authentication required.
+FreshRSS offers three methods of Access control: Form Authentication using JavaScript, HTTP based Authentication, or an uncontrolled state with no authentication required.
 
 ## Form Authentication
 
-Form Authentication requires the use of Javascript. It will work on any supported version of PHP, but version 5.5 or newer is recommended (see footnote 1 in [prerequisites](02_Prerequisites.md) for the reason why).
+Form Authentication requires the use of JavaScript. It will work on any supported version of PHP, but version 5.5 or newer is recommended (see footnote 1 in [prerequisites](02_Prerequisites.md) for the reason why).
 
 This option requires nothing more than selecting Form Authentication during installation.
 
@@ -14,6 +14,13 @@ You may also choose to use HTTP Authentication provided by your web server.[^1]
 
 If you choose to use this option, create a `./p/i/.htaccess` file with a matching `.htpasswd` file.
 
+You can also use any authentication backend as long as your web server exposes the authenticated user through the `REMOTE_USER` variable.
+
+By default, new users allowed by HTTP Basic Auth will automatically be created in FreshRSS the first time they log in.
+You can disable auto-registration of new users by setting `http_auth_auto_register` to `false` in the configuration file.
+When using auto-registration, you can optionally use the `http_auth_auto_register_email_field` to specify the name of a web server
+variable containing the email address of the authenticated user (e.g. `REMOTE_USER_EMAIL`).
+
 ## No Authentication
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin. It is never advisable to not use any form of authentication, but **never** chose this option on a server that is able to be accessed outside of your home network.