More auth role fixes (#17067)

* simplify check and handle comma separated roles * spacing
2025-09-23 17:52:05 +02:00 · 2025-03-10 10:00:35 -05:00 · 2025-03-10 10:00:35 -05:00 · 2be5225440
commit 2be5225440
parent cb25bd4a88
2 changed files with 10 additions and 9 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -265,11 +265,18 @@ def auth(request: Request):
            if user_header
            else "anonymous"
        )
-        success_response.headers["remote-role"] = (
+        role_header = proxy_config.header_map.role
+        role = (
            request.headers.get(role_header, default="viewer")
            if role_header
            else "viewer"
        )
+
+        # if comma-separated with "admin", use "admin", else "viewer"
+        success_response.headers["remote-role"] = (
+            "admin" if role and "admin" in role else "viewer"
+        )
+
        return success_response

    # now apply authentication
@ -359,14 +366,8 @@ def auth(request: Request):
@router.get("/profile")
 def profile(request: Request):
    username = request.headers.get("remote-user", "anonymous")
-    role = request.headers.get("remote-role")
+    role = request.headers.get("remote-role", "viewer")

-    if role is None and username != "anonymous":
-        try:
-            user = User.get_by_id(username)
-            role = getattr(user, "role", "viewer")
-        except DoesNotExist:
-            role = "viewer"  # Fallback if user deleted
    return JSONResponse(content={"username": username, "role": role})


--- a/web/src/components/auth/AuthForm.tsx
+++ b/web/src/components/auth/AuthForm.tsx
@ -87,7 +87,7 @@ export function UserAuthForm({ className, ...props }: UserAuthFormProps) {
  return (
    <div className={cn("grid gap-6", className)} {...props}>
      <Form {...form}>
-        <form onSubmit={form.handleSubmit(onSubmit)}>
+        <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
          <FormField
            name="user"
            render={({ field }) => (