From 12f5187ff3196f85c5fb39349141d1e43db8170d Mon Sep 17 00:00:00 2001
From: centerionware <roguestar191@comcast.net>
Date: Mon, 31 Mar 2025 00:15:45 -0600
Subject: [PATCH 1/2] feat: add traefik ingress support to media-auth

---
 src/backend/core/api/viewsets.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index c416c2247..589ecb3c9 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -1182,13 +1182,19 @@ def _auth_get_original_url(self, request):
         to let this request go through (by returning a 200 code) or if we block it (by returning
         a 403 error). Note that we return 403 errors without any further details for security
         reasons.
+
+        Traefik and other ingresses that aren't nginx don't send HTTP_X_ORIGINAL_URL but all 
+        should send the standard X-Forwarded-* headers, fallback to that when HTTP_X_ORIGINAL_URL
+        is not found.
         """
         # Extract the original URL from the request header
         original_url = request.META.get("HTTP_X_ORIGINAL_URL")
         if not original_url:
-            logger.debug("Missing HTTP_X_ORIGINAL_URL header in subrequest")
-            raise drf.exceptions.PermissionDenied()
-
+            logger.debug( request.META )
+            if not request.META.get("HTTP_X_FORWARDED_URI"):
+                logger.debug("Missing HTTP_X_ORIGINAL_URL header and HTTP_X_FORWARDED_URI http header.")
+                raise drf.exceptions.PermissionDenied()
+            original_url = request.META.get("HTTP_X_FORWARDED_PROTO") + "://" + request.META.get("HTTP_X_FORWARDED_HOST") + request.META.get("HTTP_X_FORWARDED_URI")
         logger.debug("Original url: '%s'", original_url)
         return urlparse(original_url)
 

From 7e3bb204c5ae54049a27461fd7f9ecc0964b0d1a Mon Sep 17 00:00:00 2001
From: centerionware <roguestar191@comcast.net>
Date: Mon, 31 Mar 2025 00:27:44 -0600
Subject: [PATCH 2/2] cleanup: remove dump of all request headers to media-auth
 when not using nginx

---
 src/backend/core/api/viewsets.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index 589ecb3c9..b839a7d42 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -1190,7 +1190,6 @@ def _auth_get_original_url(self, request):
         # Extract the original URL from the request header
         original_url = request.META.get("HTTP_X_ORIGINAL_URL")
         if not original_url:
-            logger.debug( request.META )
             if not request.META.get("HTTP_X_FORWARDED_URI"):
                 logger.debug("Missing HTTP_X_ORIGINAL_URL header and HTTP_X_FORWARDED_URI http header.")
                 raise drf.exceptions.PermissionDenied()