2.5 KiB
datasette-auth-headers
Authenticate a Datasette instance using headers set by an upstream proxy
This plugin is designed to work when Datasette is being run behind a reverse proxy, such as Caddy, that is performing authentication on behalf of the app and setting headers in the upstream request.
For example, when Caddy and Authentik's proxy provider are used together with a configuration like so:
example.com {
forward_auth * authentik {
// ...
}
reverse_proxy datasette
}
Authentik will set a number of headers in the upstream request, such as X-Authentik-User, to inform us who is authenticated. This plugin uses those headers to create a Datasette actor.
Installation
Install this plugin in the same environment as Datasette.
datasette install datasette-auth-headers
Usage
You must configure this plugin on the global level within Datasette. An example configuration that reads the X-Authentik-User header and uses it as the actor ID is:
{
"plugins": {
"datasette-auth-headers": {
"id-header-name": "X-Authentik-User"
}
}
}
id-header-name is case-insensitive and is the only configuration option at this time.
You should not use this plugin with headers that can be set by the end user. Your reverse proxy must strip/overwrite the headers you configure the plugin with for this to be secure.
Development
To set up this plugin locally, first checkout the code. Then create a new virtual environment:
cd datasette-auth-headers
python -m venv venv
source venv/bin/activate
Now install the dependencies and test dependencies:
pip install -e '.[test]'
To run the tests:
python -m pytest