Proposal
Add authentication via trusted HTTP headers set by an upstream reverse-proxy (Authentik Outpost, Authelia, oauth2-proxy, Traefik forward-auth, nginx auth_request). This is the dominant pattern for homelab self-hosters who already run a centralized SSO IdP — lurker becomes "just another app" behind the existing auth layer.
Depends on
#35 should land first since it establishes the create-or-find user pattern that this issue reuses.
Critical security guard
This auth path must only activate when explicitly enabled via an env var (e.g., PROXY_AUTH_HEADER=X-Remote-User). If unset, the header is ignored entirely — preventing the misconfiguration where lurker is exposed directly to the internet and an attacker spoofs the header.
Scope
Touches
src/auth.js (new middleware)src/index.js (wire it into the auth chain)readme.md (deployment guidance with example Authentik / oauth2-proxy / Traefik snippets)
Acceptance
With PROXY_AUTH_HEADER set and a request arriving with that header populated, the user is authenticated transparently and a session cookie is issued. With the env var unset, the header is ignored entirely.
Proposal
Add authentication via trusted HTTP headers set by an upstream reverse-proxy (Authentik Outpost, Authelia, oauth2-proxy, Traefik forward-auth, nginx auth_request). This is the dominant pattern for homelab self-hosters who already run a centralized SSO IdP — lurker becomes "just another app" behind the existing auth layer.
Depends on
#35 should land first since it establishes the create-or-find user pattern that this issue reuses.
Critical security guard
This auth path must only activate when explicitly enabled via an env var (e.g.,
PROXY_AUTH_HEADER=X-Remote-User). If unset, the header is ignored entirely — preventing the misconfiguration where lurker is exposed directly to the internet and an attacker spoofs the header.Scope
<header-value>username; issue a JWT cookie for the sessionPROXY_AUTH_GROUPS_HEADER=X-Remote-Groups) to populate admin status — e.g., users in a configured admin group become lurker adminsTouches
src/auth.js(new middleware)src/index.js(wire it into the auth chain)readme.md(deployment guidance with example Authentik / oauth2-proxy / Traefik snippets)Acceptance
With
PROXY_AUTH_HEADERset and a request arriving with that header populated, the user is authenticated transparently and a session cookie is issued. With the env var unset, the header is ignored entirely.