Added Auth Proxy - Accept X-Forwarded-User #1215

api/config/default.php

@@ -238,5 +238,8 @@ return array(
 	'ombiDefaultFilterUnapproved' => true,
 	'ombiDefaultFilterDenied' => true,
 	'selfSignedCert' => '',
-	'homepagePlexRecentlyAddedMethod' => 'legacy'
+	'homepagePlexRecentlyAddedMethod' => 'legacy',
+	'authProxyEnabled' => false,
+	'authProxyHeaderName' => '',
+	'authProxyWhitelist' => ''
 );

api/functions/api-functions.php

@@ -89,6 +89,16 @@ function login($array)
 			'database' => $GLOBALS['dbLocation'] . $GLOBALS['dbName'],
 		]);
 		$authSuccess = false;
+		$authProxy = false;
+		if($GLOBALS['authProxyEnabled'] && $GLOBALS['authProxyHeaderName'] !== '' && $GLOBALS['authProxyWhitelist'] !== ''){
+
+			$whitelistRange = analyzeIP($GLOBALS['authProxyWhitelist']);
+			$from = $whitelistRange['from'];
+			$to = $whitelistRange['to'];
+			$authProxy = authProxyRangeCheck($from,$to);
+			$usernameHeader = isset(getallheaders()[$GLOBALS['authProxyHeaderName']]) ? getallheaders()[$GLOBALS['authProxyHeaderName']] : $username;
+			$username = ($authProxy) ? $usernameHeader : $username;
+		}
 		$function = 'plugin_auth_' . $GLOBALS['authBackend'];
 		if (!$oAuth) {
 			$result = $database->fetch('SELECT * FROM users WHERE username = ? COLLATE NOCASE OR email = ? COLLATE NOCASE', $username, $username);
@@ -112,6 +122,7 @@ function login($array)
 						}
 					}
 			}
+			$authSuccess = ($authProxy) ? true : $authSuccess;
 		} else {
 			// Has oAuth Token!
 			switch ($oAuthType) {
@@ -139,7 +150,7 @@ function login($array)
 		if ($authSuccess) {
 			// Make sure user exists in database
 			$userExists = false;
-			$passwordMatches = ($oAuth) ? true : false;
+			$passwordMatches = ($oAuth || $authProxy) ? true : false;
 			$token = (is_array($authSuccess) && isset($authSuccess['token']) ? $authSuccess['token'] : '');
 			if ($result['username']) {
 				$userExists = true;

api/functions/organizr-functions.php

@@ -860,6 +860,31 @@ function getSettingsMain()
 				'help' => 'IPv4 only at the moment - This will set your login as local if your IP falls within the From and To'
 			),
 		),
+		'Auth Proxy' => array(
+			array(
+				'type' => 'switch',
+				'name' => 'authProxyEnabled',
+				'label' => 'Auth Proxy',
+				'help' => 'Enable option to set Auth Poxy Header Login',
+				'value' => $GLOBALS['authProxyEnabled'],
+			),
+			array(
+				'type' => 'input',
+				'name' => 'authProxyHeaderName',
+				'label' => 'Auth Proxy Header Name',
+				'value' => $GLOBALS['authProxyHeaderName'],
+				'placeholder' => 'i.e. X-Forwarded-User',
+				'help' => 'Please choose a unique value for added security'
+			),
+			array(
+				'type' => 'input',
+				'name' => 'authProxyWhitelist',
+				'label' => 'Auth Proxy Whitelist',
+				'value' => $GLOBALS['authProxyWhitelist'],
+				'placeholder' => 'i.e. 10.0.0.0/24 or 10.0.0.20',
+				'help' => 'IPv4 only at the moment - This must be set to work, will accept subnet or IP address'
+			),
+		),
 		'Ping' => array(
 			array(
 				'type' => 'select',
@@ -2519,3 +2544,29 @@ function checkHostPrefix($s)
 	}
 	return (substr($s, -1, 1) == '\\') ? $s : $s . '\\';
 }
+function analyzeIP($ip)
+{
+	if(strpos($ip,'/') !== false){
+		$explodeIP = explode('/', $ip);
+		$prefix = $explodeIP[1];
+		$start_ip = $explodeIP[0];
+		$ip_count = 1 << (32 - $prefix);
+		$start_ip_long = ip2long($start_ip);
+		$last_ip_long = ip2long($start_ip) + $ip_count - 1;
+	}elseif(substr_count($ip, '.') == 3){
+		$start_ip_long = ip2long($ip);
+		$last_ip_long = ip2long($ip);
+	}
+	return (isset($start_ip_long) && isset($last_ip_long)) ? array('from' => $start_ip_long, 'to' => $last_ip_long) : false;
+}
+function authProxyRangeCheck($from, $to)
+{
+	$approved = false;
+	$userIP = ip2long(userIP());
+	$low = $from;
+	$high = $to;
+	if ($userIP <= $high && $low <= $userIP) {
+		$approved = true;
+	}
+	return $approved;
+}