Reverse proxy auth header support

[Cyper-Madsen]

adding support for setting reverse proxy auth header to support using an auth proxy infront of grocy.

Summary by CodeRabbit

• New Features

  • Added configurable reverse-proxy authentication header support so users can specify a custom header to integrate external auth providers (e.g., Cloudflare Tunnels).

• Documentation

  • Updated configuration docs with the new option, usage details, and an example demonstrating how to enable reverse-proxy header authentication.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new optional configuration option reverse_proxy_auth_header (docs + schema) and conditionally exports environment variables to enable Grocy's Reverse Proxy Authentication middleware when a header name is provided.

Changes

Cohort / File(s)	Summary
Reverse Proxy Auth Header Feature grocy/DOCS.md, grocy/config.yaml, grocy/rootfs/etc/s6-overlay/s6-rc.d/php-fpm/run	Introduces tweaks.reverse_proxy_auth_header documentation and schema; conditionally exports GROCY_AUTH_CLASS="Grocy\Middleware\ReverseProxyAuthMiddleware" and GROCY_REVERSE_PROXY_AUTH_HEADER in the php-fpm run script when configured.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant ReverseProxy
  participant s6_PHP_FPM
  participant Grocy_App

  Client->>ReverseProxy: Request (user auth)
  ReverseProxy-->>Client: Forwards request with header (e.g., Cf-Access-Authenticated-User-Email)
  s6_PHP_FPM->>Grocy_App: Exports env vars if header configured
  Grocy_App->>Grocy_App: ReverseProxyAuthMiddleware reads header from env and request
  Grocy_App-->>Client: Respond (authenticated as header user)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hop through headers, soft and light,

I tuck auth names into the night.
A header whispered, tunnels hum,
Middleware wakes — the login’s done.
Hooray for config, snug and bright! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Reverse proxy auth header support' directly reflects the main change, which adds support for configuring a reverse proxy authentication header across documentation, configuration schema, and runtime environment variables.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @grocy/DOCS.md:
- Around line 200-202: Update the reverse_proxy_auth_header documentation to
follow the section pattern: start with the option name/bullet
(`reverse_proxy_auth_header`), then a concise description using correct grammar
("To set up an auth header to sign in with an auth proxy..."), capitalize the
product name ("Cloudflare Tunnels"), and simplify the sentence to give a clear
example header value ("Cf-Access-Authenticated-User-Email"); ensure the revised
text is one or two short sentences and placed after the bullet point like other
options.

In @grocy/rootfs/etc/s6-overlay/s6-rc.d/php-fpm/run:
- Around line 85-88: The export of GROCY_REVERSE_PROXY_AUTH_HEADER uses an
unquoted command substitution; update the export for the
GROCY_REVERSE_PROXY_AUTH_HEADER variable so the result of bashio::config
'tweaks.reverse_proxy_auth_header' is wrapped in double quotes to prevent word
splitting and preserve any special characters when assigning the value from the
bashio::config call in the php-fpm run script.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 84c3853 and 359d96d.

📒 Files selected for processing (3)

• grocy/DOCS.md
• grocy/config.yaml
• grocy/rootfs/etc/s6-overlay/s6-rc.d/php-fpm/run

🔇 Additional comments (2)

grocy/DOCS.md (1)

60-60: LGTM!

The example configuration correctly demonstrates the new reverse_proxy_auth_header option with a realistic Cloudflare-specific header value.

grocy/config.yaml (1)

72-72: The schema addition for reverse_proxy_auth_header is correct. Grocy v4.5.0 supports reverse proxy authentication via the ReverseProxyAuthMiddleware class, with configuration passed through the GROCY_AUTH_CLASS and GROCY_REVERSE_PROXY_AUTH_HEADER environment variables. The addon conditionally exports these variables when the configuration option is set, and they are also used in the Home Assistant ingress template. The optional string type for this config option is appropriate.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

grocy/DOCS.md (1)

200-202: Clarify documentation wording for reverse_proxy_auth_header option.

Line 200 has a run-on sentence with ambiguous phrasing. It should be more explicit about what the option does and what type of value is expected. Consider rewording for clarity:

💡 Suggested documentation revision

-The following sub feature can be set to specify an auth header to sign in with an auth proxy, an example is using Cloudflare Tunnels where it should be "Cf-Access-Authenticated-User-Email"
+The following sub feature can be set to specify the HTTP header name containing the authenticated user from your reverse proxy. For example, when using Cloudflare Tunnels, set this to `"Cf-Access-Authenticated-User-Email"`:

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 359d96d and 77f5fe3.

📒 Files selected for processing (2)

• grocy/DOCS.md
• grocy/rootfs/etc/s6-overlay/s6-rc.d/php-fpm/run

🚧 Files skipped from review as they are similar to previous changes (1)

• grocy/rootfs/etc/s6-overlay/s6-rc.d/php-fpm/run

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.