Add networking options for configuring listening ports (#21779)

2026-03-22 02:18:32 +01:00 · 2026-01-28 06:27:46 -08:00
parent 0a19d95af5
commit 6f7ef2779e
18 changed files with 200 additions and 130 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -26,7 +26,7 @@ from frigate.api.defs.request.app_body import (
    AppPutRoleBody,
 )
 from frigate.api.defs.tags import Tags
-from frigate.config import AuthConfig, ProxyConfig
+from frigate.config import AuthConfig, NetworkingConfig, ProxyConfig
 from frigate.const import CONFIG_DIR, JWT_SECRET_ENV_VAR, PASSWORD_HASH_ALGORITHM
 from frigate.models import User

@@ -41,7 +41,7 @@ def require_admin_by_default():
    endpoints require admin access unless explicitly overridden with
    allow_public(), allow_any_authenticated(), or require_role().

-    Port 5000 (internal) always has admin role set by the /auth endpoint,
+    Internal port always has admin role set by the /auth endpoint,
    so this check passes automatically for internal requests.

    Certain paths are exempted from the global admin check because they must
@@ -130,7 +130,7 @@ def require_admin_by_default():
            pass

        # For all other paths, require admin role
-        # Port 5000 (internal) requests have admin role set automatically
+        # Internal port requests have admin role set automatically
        role = request.headers.get("remote-role")
        if role == "admin":
            return
@@ -143,6 +143,17 @@ def require_admin_by_default():
    return admin_checker


+def _is_authenticated(request: Request) -> bool:
+    """
+    Helper to determine if a request is from an authenticated user.
+
+    Returns True if the request has a valid authenticated user (not anonymous).
+    Internal port requests are considered anonymous despite having admin role.
+    """
+    username = request.headers.get("remote-user")
+    return username is not None and username != "anonymous"
+
+
 def allow_public():
    """
    Override dependency to allow unauthenticated access to an endpoint.
@@ -171,6 +182,7 @@ def allow_any_authenticated():

    Rejects:
    - Requests with no remote-user header (did not pass through /auth endpoint)
+    - External port requests with anonymous user (auth disabled, no proxy auth)

    Example:
        @router.get("/authenticated-endpoint", dependencies=[Depends(allow_any_authenticated())])
@@ -179,8 +191,14 @@ def allow_any_authenticated():
    async def auth_checker(request: Request):
        # Ensure a remote-user has been set by the /auth endpoint
        username = request.headers.get("remote-user")
-        if username is None:
-            raise HTTPException(status_code=401, detail="Authentication required")
+
+        # Internal port requests have admin role and should be allowed
+        role = request.headers.get("remote-role")
+
+        if role != "admin":
+            if username is None or not _is_authenticated(request):
+                raise HTTPException(status_code=401, detail="Authentication required")
+
        return

    return auth_checker
@@ -570,12 +588,18 @@ def resolve_role(
 def auth(request: Request):
    auth_config: AuthConfig = request.app.frigate_config.auth
    proxy_config: ProxyConfig = request.app.frigate_config.proxy
+    networking_config: NetworkingConfig = request.app.frigate_config.networking

    success_response = Response("", status_code=202)

+    # handle case where internal port is a string with ip:port
+    internal_port = networking_config.listen.internal
+    if type(internal_port) is str:
+        internal_port = int(internal_port.split(":")[-1])
+
    # dont require auth if the request is on the internal port
    # this header is set by Frigate's nginx proxy, so it cant be spoofed
-    if int(request.headers.get("x-server-port", default=0)) == 5000:
+    if int(request.headers.get("x-server-port", default=0)) == internal_port:
        success_response.headers["remote-user"] = "anonymous"
        success_response.headers["remote-role"] = "admin"
        return success_response
@@ -1013,4 +1037,4 @@ async def get_allowed_cameras_for_filter(request: Request):
    role = current_user["role"]
    all_camera_names = set(request.app.frigate_config.cameras.keys())
    roles_dict = request.app.frigate_config.auth.roles
-    return User.get_allowed_cameras(role, roles_dict, all_camera_names)
+    return User.get_allowed_cameras(role, roles_dict, all_camera_names)