Add ability to specify separator used in proxy headers (#18336)

frigate/api/auth.py

@@ -202,9 +202,15 @@ async def get_current_user(request: Request):
 
 def require_role(required_roles: List[str]):
     async def role_checker(request: Request):
+        proxy_config: ProxyConfig = request.app.frigate_config.proxy
+
         # Get role from header (could be comma-separated)
         role_header = request.headers.get("remote-role")
-        roles = [r.strip() for r in role_header.split(",")] if role_header else []
+        roles = (
+            [r.strip() for r in role_header.split(proxy_config.separator)]
+            if role_header
+            else []
+        )
 
         # Check if we have any roles
         if not roles:
@@ -269,7 +275,8 @@ def auth(request: Request):
         # if comma-separated with "admin", use "admin", else use default role
         success_response.headers["remote-role"] = (
             "admin"
-            if role and "admin" in [r.strip() for r in role.split(",")]
+            if role
+            and "admin" in [r.strip() for r in role.split(proxy_config.separator)]
             else proxy_config.default_role
         )
 

frigate/config/proxy.py

@@ -1,6 +1,6 @@
 from typing import Optional
 
-from pydantic import Field
+from pydantic import Field, field_validator
 
 from .base import FrigateBaseModel
 from .env import EnvString
@@ -33,3 +33,14 @@ class ProxyConfig(FrigateBaseModel):
     default_role: Optional[str] = Field(
         default="viewer", title="Default role for proxy users."
     )
+    separator: Optional[str] = Field(
+        default=",",
+        title="The character used to separate values in a mapped header.",
+    )
+
+    @field_validator("separator", mode="before")
+    @classmethod
+    def validate_separator_length(cls, v):
+        if v is not None and len(v) != 1:
+            raise ValueError("Separator must be exactly one character")
+        return v