disinto-admin/disinto
1
0
Fork 0
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity Actions

fix: exempt /chat/login and /chat/oauth/callback from forward_auth (#709)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source 
Caddy forward_auth on /chat/* blocked unauthenticated users from
reaching the OAuth login/callback routes (401 instead of redirect).
Add explicit handle blocks for these public routes before the
forward_auth catch-all.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-04-12 02:37:43 +00:00
parent f8ac1d2ae2
commit ff79e64fc8
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
lib/generators.sh
View file

@ -615,6 +615,13 @@ _generate_caddyfile_impl() {
} }
# Chat service — reverse proxy to disinto-chat backend (#705) # Chat service — reverse proxy to disinto-chat backend (#705)
# OAuth routes bypass forward_auth — unauthenticated users need these (#709)
handle /chat/login {
reverse_proxy chat:8080
}
handle /chat/oauth/callback {
reverse_proxy chat:8080
}
# Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709) # Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709)
handle /chat/* { handle /chat/* {
forward_auth chat:8080 { forward_auth chat:8080 {