More auth role fixes (#17067)

* simplify check and handle comma separated roles * spacing
2025-10-27 10:52:11 +01:00 · 2025-03-10 10:00:35 -05:00 · 2025-03-10 10:00:35 -05:00 · 2be5225440
commit 2be5225440
parent cb25bd4a88
2 changed files with 10 additions and 9 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -265,11 +265,18 @@ def auth(request: Request):
            if user_header
            else "anonymous"
        )
-        success_response.headers["remote-role"] = (
+        role_header = proxy_config.header_map.role
        role = (
            request.headers.get(role_header, default="viewer")
            if role_header
            else "viewer"
        )
        # if comma-separated with "admin", use "admin", else "viewer"
        success_response.headers["remote-role"] = (
            "admin" if role and "admin" in role else "viewer"
        )
        return success_response
    # now apply authentication
@ -359,14 +366,8 @@ def auth(request: Request):
@router.get("/profile")
 def profile(request: Request):
    username = request.headers.get("remote-user", "anonymous")
-    role = request.headers.get("remote-role")
+    role = request.headers.get("remote-role", "viewer")
    if role is None and username != "anonymous":
        try:
            user = User.get_by_id(username)
            role = getattr(user, "role", "viewer")
        except DoesNotExist:
            role = "viewer"  # Fallback if user deleted
    return JSONResponse(content={"username": username, "role": role})
--- a/web/src/components/auth/AuthForm.tsx
+++ b/web/src/components/auth/AuthForm.tsx
@ -87,7 +87,7 @@ export function UserAuthForm({ className, ...props }: UserAuthFormProps) {
  return (
    <div className={cn("grid gap-6", className)} {...props}>
      <Form {...form}>
-        <form onSubmit={form.handleSubmit(onSubmit)}>
+        <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
          <FormField
            name="user"
            render={({ field }) => (