REVERSE_PROXY_AUTH with /api access

[zjean]

Hi, I am using the babybuddy web app with REVERSE_PROXY_AUTH setup (with Authelia).
That works great.
One thing however: I would like te use the api with token based authentication. I did so by whitelisting the /api from my Authalia config.
However, it looks like the Babybuddy is expecting the reverse proxy auth header for the /api endpoint.
Is it possible to exclude this header check for the api?

[cdubz]

This makes sense -- #790 needed a small fix. Thanks for contributing!

[zjean]

Hmm, my solution in this PR does not work.
First of all the check for "api/" is incorrect, it should be "/api/".
But, next to that, I always get a 403 error, even when I am sure the 'return None' is called in the middleware.

My knowledge of Python/Django is almost non-existent, so I have no clue how to debug this.
Any suggestions?

[zjean]

@cdubz
It looks like something weird goes on in the authentication backends for the remote user on the /api path.
The request is denied, I think because of the remote_user being empty.

When I change the RemoteUserBackend in settings/base.py to AllowAllUsersRemoteUserBackend the API is accessible, however I am not sure whether this has any implications..

[cdubz]

Hm yeah I'm not sure why that would make a difference based on Django's documentation for that backend: https://docs.djangoproject.com/en/5.0/ref/contrib/auth/#django.contrib.auth.backends.AllowAllUsersRemoteUserBackend

🤔