Enable auth using trusted header #1128
Conversation
|
Hi! Thanks for the contribution, big fan of cloudflare tunnels 😁 I pushed a commit to fix the user creation and make sure everything passes the tests. I'm worried that because you override the id, all users will share the same conversations. I think we should use the user email decoded from the JWT to generate a user id. Then you'd need to find another way to hide the sign-out button. Maybe check if the cookie is set in the front-end instead ? |
|
@nsarrazin I am looking at Open-WebUI and they are using HTTP header instead of cookie to retrieve the user email. It looks like that is flexible to be compatible with Cloudflare Tunnel, Tailscale, OAuth0 and other SSO. Do you think that is a better option? https://docs.openwebui.com/tutorial/sso#cloudflare-tunnel-with-cloudflare-access |
|
I updated the implementation to use the header instead of the cookie. I also fixed the issue I mentioned above. Didn't yet try it as i'm travelling, will try it with cloudflare locally when I can but if you could give it a spin and let me know if it works for you as well, would be great! |
nsarrazin
changed the title
nsarrazin
added
enhancement
|
Feel free to take a quick look at the PR if you have the time, we won't be using it for huggingchat but because this touches the login code i'd like to get some other pairs of eyes on the PR 🤗 |
I am hosting Chat-UI after Cloudflare Tunnel and using Cloudflare Access for SSO.
After SSO, Cloudflare will inject a cookieCF_Authorization. Its value is a JWT. We could use the email after decoding the JWT value as login user.Nathan edit: We updated the PR to use a header instead of a cookie to get the logged in user. See this for more info.