feat(auth): add ForwardAuth support via X-Plex-Token header

This adds ForwardAuth support based on a user's Plex token being sent as an HTTP header (X-Plex-Token) within a request to Overseerr. When a session has no current user, but this feature is enabled and the header is present, Overseerr will attempt to create and/or log in the user in a manner nearly identical to the /api/v1/auth/plex endpoint.
sct · Nov 1, 2022 · dd9d362 · dd9d362
1 parent 64aab6d
commit dd9d362
Show file tree

Hide file tree

Showing 16 changed files with 379 additions and 260 deletions.
diff --git a/cypress/config/settings.cypress.json b/cypress/config/settings.cypress.json
@@ -3,147 +3,148 @@
   "vapidPrivate": "tmnslaO8ZWN6bNbSEv_rolPeBTlNxOwCCAHrM9oZz3M",
   "vapidPublic": "BK_EpP8NDm9waor2zn6_S28o3ZYv4kCkJOfYpO3pt3W6jnPmxrgTLANUBNbbyaNatPnSQ12De9CeqSYQrqWzHTs",
   "main": {
-   "apiKey": "testkey",
-   "applicationTitle": "Overseerr",
-   "applicationUrl": "",
-   "csrfProtection": false,
-   "cacheImages": false,
-   "defaultPermissions": 32,
-   "defaultQuotas": {
-    "movie": {},
-    "tv": {}
-   },
-   "hideAvailable": false,
-   "localLogin": true,
-   "newPlexLogin": true,
-   "region": "",
-   "originalLanguage": "",
-   "trustProxy": false,
-   "partialRequestsEnabled": true,
-   "locale": "en"
+    "apiKey": "testkey",
+    "applicationTitle": "Overseerr",
+    "applicationUrl": "",
+    "csrfProtection": false,
+    "cacheImages": false,
+    "defaultPermissions": 32,
+    "defaultQuotas": {
+      "movie": {},
+      "tv": {}
+    },
+    "hideAvailable": false,
+    "localLogin": true,
+    "newPlexLogin": true,
+    "region": "",
+    "originalLanguage": "",
+    "trustProxy": false,
+    "partialRequestsEnabled": true,
+    "locale": "en",
+    "enableForwardAuth": true
   },
   "plex": {
-   "name": "Seerr",
-   "ip": "192.168.1.1",
-   "port": 32400,
-   "useSsl": false,
-   "libraries": [
-    {
-     "id": "1",
-     "name": "Movies",
-     "enabled": true,
-     "type": "movie"
-    }
-   ],
-   "machineId": "test"
+    "name": "Seerr",
+    "ip": "192.168.1.1",
+    "port": 32400,
+    "useSsl": false,
+    "libraries": [
+      {
+        "id": "1",
+        "name": "Movies",
+        "enabled": true,
+        "type": "movie"
+      }
+    ],
+    "machineId": "test"
   },
   "tautulli": {},
   "radarr": [],
   "sonarr": [],
   "public": {
-   "initialized": true
+    "initialized": true
   },
   "notifications": {
-   "agents": {
-    "email": {
-     "enabled": false,
-     "options": {
-      "emailFrom": "",
-      "smtpHost": "",
-      "smtpPort": 587,
-      "secure": false,
-      "ignoreTls": false,
-      "requireTls": false,
-      "allowSelfSigned": false,
-      "senderName": "Overseerr"
-     }
-    },
-    "discord": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "webhookUrl": "",
-      "enableMentions": true
-     }
-    },
-    "lunasea": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "webhookUrl": ""
-     }
-    },
-    "slack": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "webhookUrl": ""
-     }
-    },
-    "telegram": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "botAPI": "",
-      "chatId": "",
-      "sendSilently": false
-     }
+    "agents": {
+      "email": {
+        "enabled": false,
+        "options": {
+          "emailFrom": "",
+          "smtpHost": "",
+          "smtpPort": 587,
+          "secure": false,
+          "ignoreTls": false,
+          "requireTls": false,
+          "allowSelfSigned": false,
+          "senderName": "Overseerr"
+        }
+      },
+      "discord": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "webhookUrl": "",
+          "enableMentions": true
+        }
+      },
+      "lunasea": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "webhookUrl": ""
+        }
+      },
+      "slack": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "webhookUrl": ""
+        }
+      },
+      "telegram": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "botAPI": "",
+          "chatId": "",
+          "sendSilently": false
+        }
+      },
+      "pushbullet": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "accessToken": ""
+        }
+      },
+      "pushover": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "accessToken": "",
+          "userToken": ""
+        }
+      },
+      "webhook": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "webhookUrl": "",
+          "jsonPayload": "IntcbiAgICBcIm5vdGlmaWNhdGlvbl90eXBlXCI6IFwie3tub3RpZmljYXRpb25fdHlwZX19XCIsXG4gICAgXCJldmVudFwiOiBcInt7ZXZlbnR9fVwiLFxuICAgIFwic3ViamVjdFwiOiBcInt7c3ViamVjdH19XCIsXG4gICAgXCJtZXNzYWdlXCI6IFwie3ttZXNzYWdlfX1cIixcbiAgICBcImltYWdlXCI6IFwie3tpbWFnZX19XCIsXG4gICAgXCJ7e21lZGlhfX1cIjoge1xuICAgICAgICBcIm1lZGlhX3R5cGVcIjogXCJ7e21lZGlhX3R5cGV9fVwiLFxuICAgICAgICBcInRtZGJJZFwiOiBcInt7bWVkaWFfdG1kYmlkfX1cIixcbiAgICAgICAgXCJ0dmRiSWRcIjogXCJ7e21lZGlhX3R2ZGJpZH19XCIsXG4gICAgICAgIFwic3RhdHVzXCI6IFwie3ttZWRpYV9zdGF0dXN9fVwiLFxuICAgICAgICBcInN0YXR1czRrXCI6IFwie3ttZWRpYV9zdGF0dXM0a319XCJcbiAgICB9LFxuICAgIFwie3tyZXF1ZXN0fX1cIjoge1xuICAgICAgICBcInJlcXVlc3RfaWRcIjogXCJ7e3JlcXVlc3RfaWR9fVwiLFxuICAgICAgICBcInJlcXVlc3RlZEJ5X2VtYWlsXCI6IFwie3tyZXF1ZXN0ZWRCeV9lbWFpbH19XCIsXG4gICAgICAgIFwicmVxdWVzdGVkQnlfdXNlcm5hbWVcIjogXCJ7e3JlcXVlc3RlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICAgICAgXCJyZXF1ZXN0ZWRCeV9hdmF0YXJcIjogXCJ7e3JlcXVlc3RlZEJ5X2F2YXRhcn19XCJcbiAgICB9LFxuICAgIFwie3tpc3N1ZX19XCI6IHtcbiAgICAgICAgXCJpc3N1ZV9pZFwiOiBcInt7aXNzdWVfaWR9fVwiLFxuICAgICAgICBcImlzc3VlX3R5cGVcIjogXCJ7e2lzc3VlX3R5cGV9fVwiLFxuICAgICAgICBcImlzc3VlX3N0YXR1c1wiOiBcInt7aXNzdWVfc3RhdHVzfX1cIixcbiAgICAgICAgXCJyZXBvcnRlZEJ5X2VtYWlsXCI6IFwie3tyZXBvcnRlZEJ5X2VtYWlsfX1cIixcbiAgICAgICAgXCJyZXBvcnRlZEJ5X3VzZXJuYW1lXCI6IFwie3tyZXBvcnRlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICAgICAgXCJyZXBvcnRlZEJ5X2F2YXRhclwiOiBcInt7cmVwb3J0ZWRCeV9hdmF0YXJ9fVwiXG4gICAgfSxcbiAgICBcInt7Y29tbWVudH19XCI6IHtcbiAgICAgICAgXCJjb21tZW50X21lc3NhZ2VcIjogXCJ7e2NvbW1lbnRfbWVzc2FnZX19XCIsXG4gICAgICAgIFwiY29tbWVudGVkQnlfZW1haWxcIjogXCJ7e2NvbW1lbnRlZEJ5X2VtYWlsfX1cIixcbiAgICAgICAgXCJjb21tZW50ZWRCeV91c2VybmFtZVwiOiBcInt7Y29tbWVudGVkQnlfdXNlcm5hbWV9fVwiLFxuICAgICAgICBcImNvbW1lbnRlZEJ5X2F2YXRhclwiOiBcInt7Y29tbWVudGVkQnlfYXZhdGFyfX1cIlxuICAgIH0sXG4gICAgXCJ7e2V4dHJhfX1cIjogW11cbn0i"
+        }
+      },
+      "webpush": {
+        "enabled": false,
+        "options": {}
+      },
+      "gotify": {
+        "enabled": false,
+        "types": 0,
+        "options": {
+          "url": "",
+          "token": ""
+        }
+      }
+    }
+  },
+  "jobs": {
+    "plex-recently-added-scan": {
+      "schedule": "0 */5 * * * *"
     },
-    "pushbullet": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "accessToken": ""
-     }
+    "plex-full-scan": {
+      "schedule": "0 0 3 * * *"
     },
-    "pushover": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "accessToken": "",
-      "userToken": ""
-     }
+    "radarr-scan": {
+      "schedule": "0 0 4 * * *"
     },
-    "webhook": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "webhookUrl": "",
-      "jsonPayload": "IntcbiAgICBcIm5vdGlmaWNhdGlvbl90eXBlXCI6IFwie3tub3RpZmljYXRpb25fdHlwZX19XCIsXG4gICAgXCJldmVudFwiOiBcInt7ZXZlbnR9fVwiLFxuICAgIFwic3ViamVjdFwiOiBcInt7c3ViamVjdH19XCIsXG4gICAgXCJtZXNzYWdlXCI6IFwie3ttZXNzYWdlfX1cIixcbiAgICBcImltYWdlXCI6IFwie3tpbWFnZX19XCIsXG4gICAgXCJ7e21lZGlhfX1cIjoge1xuICAgICAgICBcIm1lZGlhX3R5cGVcIjogXCJ7e21lZGlhX3R5cGV9fVwiLFxuICAgICAgICBcInRtZGJJZFwiOiBcInt7bWVkaWFfdG1kYmlkfX1cIixcbiAgICAgICAgXCJ0dmRiSWRcIjogXCJ7e21lZGlhX3R2ZGJpZH19XCIsXG4gICAgICAgIFwic3RhdHVzXCI6IFwie3ttZWRpYV9zdGF0dXN9fVwiLFxuICAgICAgICBcInN0YXR1czRrXCI6IFwie3ttZWRpYV9zdGF0dXM0a319XCJcbiAgICB9LFxuICAgIFwie3tyZXF1ZXN0fX1cIjoge1xuICAgICAgICBcInJlcXVlc3RfaWRcIjogXCJ7e3JlcXVlc3RfaWR9fVwiLFxuICAgICAgICBcInJlcXVlc3RlZEJ5X2VtYWlsXCI6IFwie3tyZXF1ZXN0ZWRCeV9lbWFpbH19XCIsXG4gICAgICAgIFwicmVxdWVzdGVkQnlfdXNlcm5hbWVcIjogXCJ7e3JlcXVlc3RlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICAgICAgXCJyZXF1ZXN0ZWRCeV9hdmF0YXJcIjogXCJ7e3JlcXVlc3RlZEJ5X2F2YXRhcn19XCJcbiAgICB9LFxuICAgIFwie3tpc3N1ZX19XCI6IHtcbiAgICAgICAgXCJpc3N1ZV9pZFwiOiBcInt7aXNzdWVfaWR9fVwiLFxuICAgICAgICBcImlzc3VlX3R5cGVcIjogXCJ7e2lzc3VlX3R5cGV9fVwiLFxuICAgICAgICBcImlzc3VlX3N0YXR1c1wiOiBcInt7aXNzdWVfc3RhdHVzfX1cIixcbiAgICAgICAgXCJyZXBvcnRlZEJ5X2VtYWlsXCI6IFwie3tyZXBvcnRlZEJ5X2VtYWlsfX1cIixcbiAgICAgICAgXCJyZXBvcnRlZEJ5X3VzZXJuYW1lXCI6IFwie3tyZXBvcnRlZEJ5X3VzZXJuYW1lfX1cIixcbiAgICAgICAgXCJyZXBvcnRlZEJ5X2F2YXRhclwiOiBcInt7cmVwb3J0ZWRCeV9hdmF0YXJ9fVwiXG4gICAgfSxcbiAgICBcInt7Y29tbWVudH19XCI6IHtcbiAgICAgICAgXCJjb21tZW50X21lc3NhZ2VcIjogXCJ7e2NvbW1lbnRfbWVzc2FnZX19XCIsXG4gICAgICAgIFwiY29tbWVudGVkQnlfZW1haWxcIjogXCJ7e2NvbW1lbnRlZEJ5X2VtYWlsfX1cIixcbiAgICAgICAgXCJjb21tZW50ZWRCeV91c2VybmFtZVwiOiBcInt7Y29tbWVudGVkQnlfdXNlcm5hbWV9fVwiLFxuICAgICAgICBcImNvbW1lbnRlZEJ5X2F2YXRhclwiOiBcInt7Y29tbWVudGVkQnlfYXZhdGFyfX1cIlxuICAgIH0sXG4gICAgXCJ7e2V4dHJhfX1cIjogW11cbn0i"
-     }
+    "sonarr-scan": {
+      "schedule": "0 30 4 * * *"
     },
-    "webpush": {
-     "enabled": false,
-     "options": {}
+    "download-sync": {
+      "schedule": "0 * * * * *"
     },
-    "gotify": {
-     "enabled": false,
-     "types": 0,
-     "options": {
-      "url": "",
-      "token": ""
-     }
+    "download-sync-reset": {
+      "schedule": "0 0 1 * * *"
     }
-   }
-  },
-  "jobs": {
-   "plex-recently-added-scan": {
-    "schedule": "0 */5 * * * *"
-   },
-   "plex-full-scan": {
-    "schedule": "0 0 3 * * *"
-   },
-   "radarr-scan": {
-    "schedule": "0 0 4 * * *"
-   },
-   "sonarr-scan": {
-    "schedule": "0 30 4 * * *"
-   },
-   "download-sync": {
-    "schedule": "0 * * * * *"
-   },
-   "download-sync-reset": {
-    "schedule": "0 0 1 * * *"
-   }
   }
- }
+}
diff --git a/overseerr-api.yml b/overseerr-api.yml
@@ -133,6 +133,9 @@ components:
         defaultPermissions:
           type: number
           example: 32
+        enableForwardAuth:
+          type: boolean
+          example: true
     PlexLibrary:
       type: object
       properties:
@@ -1789,6 +1792,10 @@ components:
       type: apiKey
       in: header
       name: X-Api-Key
+    plexToken:
+      type: apiKey
+      in: header
+      name: X-Plex-Token
 
 paths:
   /status:
@@ -5920,3 +5927,4 @@ paths:
 security:
   - cookieAuth: []
   - apiKey: []
+  - plexToken: []
diff --git a/server/api/plextv.ts b/server/api/plextv.ts
@@ -9,7 +9,7 @@ interface PlexAccountResponse {
   user: PlexUser;
 }
 
-interface PlexUser {
+export interface PlexUser {
   id: number;
   uuid: string;
   email: string;
@@ -142,7 +142,7 @@ export interface PlexWatchlistItem {
   title: string;
 }
 
-class PlexTvAPI extends ExternalAPI {
+export class PlexTvAPI extends ExternalAPI {
   private authToken: string;
 
   constructor(authToken: string) {
@@ -365,5 +365,3 @@ class PlexTvAPI extends ExternalAPI {
     }
   }
 }
-
-export default PlexTvAPI;
diff --git a/server/interfaces/api/settingsInterfaces.ts b/server/interfaces/api/settingsInterfaces.ts
@@ -37,6 +37,7 @@ export interface PublicSettingsResponse {
   locale: string;
   emailEnabled: boolean;
   newPlexLogin: boolean;
+  enableForwardAuth: boolean;
 }
 
 export interface CacheItem {