Additional parameters for header authentication

[oeiber]

In addition to https://github.com/jonaswinkler/paperless-ng/pull/260 it would be nice if there where an option to restrict header auth to ip addresses of trusted proxies, only. It would also be nice if there where an option to pass the full name of the user and also for its email address.

[amenk]

What would be your use case and how would you test that?

I guess you have a SSO-proxy and want to allow only requests from that one? Not sure if this needs to be handled in paperless NG - you might also be able to put an IP filter in front of paperless-ng? Which setup are you using? docker?

[ybizeul]

Piling up on this, but I'm not sure I understand the documentation regarding the various proxy settings, especially PAPERLESS_ENABLE_HTTP_REMOTE_USER which states 'If you’re exposing paperless to the internet directly, do not use this.'. But I guess I'm not exposing it to internet directly as I use a proxy...

In my case, I'm using Traefik and Authelia for authentication and OTP, works like a charm, but I'd like to push it further and propulate the username authenticated directly to paperless and bypass authentication.

The thing is, I'm afraid that anyone pushing Remote-User: <username> on my LAN would gain access to that user without a password. So I guess we're back to @oeiber comment, I would like to be sure Paperless-ng only accepts requests from traefik.

[ybizeul]

Is there a ref for this change ?