-
Notifications
You must be signed in to change notification settings - Fork 922
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable auth using trusted header #1128
Conversation
Hi! Thanks for the contribution, big fan of cloudflare tunnels 😁 I pushed a commit to fix the user creation and make sure everything passes the tests. I'm worried that because you override the id, all users will share the same conversations. I think we should use the user email decoded from the JWT to generate a user id. Then you'd need to find another way to hide the sign-out button. Maybe check if the cookie is set in the front-end instead ? |
@nsarrazin I am looking at Open-WebUI and they are using HTTP header instead of cookie to retrieve the user email. It looks like that is flexible to be compatible with Cloudflare Tunnel, Tailscale, OAuth0 and other SSO. Do you think that is a better option? https://docs.openwebui.com/tutorial/sso#cloudflare-tunnel-with-cloudflare-access |
I updated the implementation to use the header instead of the cookie. I also fixed the issue I mentioned above. Didn't yet try it as i'm travelling, will try it with cloudflare locally when I can but if you could give it a spin and let me know if it works for you as well, would be great! |
Feel free to take a quick look at the PR if you have the time, we won't be using it for huggingchat but because this touches the login code i'd like to get some other pairs of eyes on the PR 🤗 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice to see a small diff like this for a feature add :)
My only question is do we need to set hfUserId: email
but looks good
I am hosting Chat-UI after Cloudflare Tunnel and using Cloudflare Access for SSO.
After SSO, Cloudflare will inject a cookieCF_Authorization
. Its value is a JWT. We could use the email after decoding the JWT value as login user.Nathan edit: We updated the PR to use a header instead of a cookie to get the logged in user. See this for more info.