From ff5ed1348cfd419110db83a776d2138e6c61df27 Mon Sep 17 00:00:00 2001
From: AKP <tom@tdpain.net>
Date: Wed, 5 Apr 2023 17:52:44 +0100
Subject: [PATCH] Switch back to using proxy-based authentication

Signed-off-by: AKP <tom@tdpain.net>
---
 datasette_plugin/analytics.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/datasette_plugin/analytics.py b/datasette_plugin/analytics.py
index 98cea1d..20767ca 100644
--- a/datasette_plugin/analytics.py
+++ b/datasette_plugin/analytics.py
@@ -29,6 +29,20 @@ def is_actor_authed(actor):
     return required_user_group in actor.get("groups", {})
 
 
+@hookimpl
+def actor_from_request(request):
+    # This is designed to convert Authentik proxy provider headers into an actor.
+    # We're assuming every request is authenticated because that's how that provider works.
+    rh = request.headers
+    return {
+        "id": rh.get("x-authentik-uid"),
+        "name": rh.get("x-authentik-name"),
+        "username": rh.get("x-authentik-username"),
+        "email": rh.get("x-authentik-email"),
+        "groups": rh.get("x-authentik-groups", "").split("|"),
+    }
+
+
 @hookimpl
 def permission_allowed(actor, action):
     if action == "execute-sql" or action == "permissions-debug" or action == "debug-menu":