fix: sso auth

pujitm · pujitm · commit f73919a156e3 · 2026-01-15T06:51:01.000-05:00
diff --git a/api/src/unraid-api/unraid-file-modifier/modifications/__test__/snapshots/rc.nginx.modified.snapshot b/api/src/unraid-api/unraid-file-modifier/modifications/__test__/snapshots/rc.nginx.modified.snapshot
@@ -383,6 +383,17 @@ build_locations(){
 	    include fastcgi_params;
 	}
 	#
+	# SSO endpoints (public)
+	location /auth/sso {
+	    allow all;
+	    proxy_pass http://unix:/var/run/unraid-core.sock:;
+	    proxy_http_version 1.1;
+	    proxy_set_header Host $host;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	}
+	#
 	# Redirect to login page on failed authentication (401)
 	#
 	error_page 401 @401;
diff --git a/api/src/unraid-api/unraid-file-modifier/modifications/patches/rc-nginx.patch b/api/src/unraid-api/unraid-file-modifier/modifications/patches/rc-nginx.patch
@@ -44,7 +44,29 @@ Index: /etc/rc.d/rc.nginx
    T='    '
    if check && [[ $1 == lo ]]; then
      if [[ $IPV4 == yes ]]; then
-@@ -400,11 +418,11 @@
+@@ -363,10 +381,21 @@
+ 	    allow all;
+ 	    try_files /login.php =404;
+ 	    include fastcgi_params;
+ 	}
+ 	#
++	# SSO endpoints (public)
++	location /auth/sso {
++	    allow all;
++	    proxy_pass http://unix:/var/run/unraid-core.sock:;
++	    proxy_http_version 1.1;
++	    proxy_set_header Host $host;
++	    proxy_set_header X-Real-IP $remote_addr;
++	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
++	    proxy_set_header X-Forwarded-Proto $scheme;
++	}
++	#
+ 	# Redirect to login page on failed authentication (401)
+ 	#
+ 	error_page 401 @401;
+ 	location @401 {
+ 	    return 302 $scheme://$http_host/login;
+@@ -400,11 +429,11 @@
  	# my servers proxy
  	#
  	location /graphql {
@@ -57,7 +79,7 @@ Index: /etc/rc.d/rc.nginx
  	    proxy_set_header Upgrade $http_upgrade;
  	    proxy_set_header Connection $connection_upgrade;
  	    proxy_cache_bypass $http_upgrade;
-@@ -566,11 +584,11 @@
+@@ -566,11 +595,11 @@
      # extract common name from cert
      CERTNAME=$(openssl x509 -noout -subject -nameopt multiline -in $CERTPATH | sed -n 's/ *commonName *= //p')
      # define CSP frame-ancestors for cert
@@ -70,7 +92,7 @@ Index: /etc/rc.d/rc.nginx
        WANIP6=$(curl https://wanip6.unraid.net/ 2>/dev/null)
      fi
      if [[ $CERTNAME == *\.myunraid\.net ]]; then
-@@ -660,14 +678,14 @@
+@@ -660,14 +689,14 @@
    echo "NGINX_WANFQDN=\"$WANFQDN\"" >>$INI
    echo "NGINX_WANFQDN6=\"$WANFQDN6\"" >>$INI
    # defined if ts_bundle.pem present:
diff --git a/api/src/unraid-api/unraid-file-modifier/modifications/rc-nginx.modification.ts b/api/src/unraid-api/unraid-file-modifier/modifications/rc-nginx.modification.ts
@@ -73,6 +73,14 @@ check_remote_access(){
             'proxy_pass http://unix:/var/run/unraid-core.sock:/graphql;'
         );
 
+        if (!newContent.includes('location /auth/sso')) {
+            newContent = newContent.replace(
+                '\t# Redirect to login page on failed authentication (401)\n',
+                // prettier-ignore
+                `\t# SSO endpoints (public)\n\tlocation /auth/sso {\n\t    allow all;\n\t    proxy_pass http://unix:/var/run/unraid-core.sock:;\n\t    proxy_http_version 1.1;\n\t    proxy_set_header Host $host;\n\t    proxy_set_header X-Real-IP $remote_addr;\n\t    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\t    proxy_set_header X-Forwarded-Proto $scheme;\n\t}\n\t#\n\t# Redirect to login page on failed authentication (401)\n`
+            );
+        }
+
         newContent = newContent.replace(
             'for NET in ${!NET_FQDN6[@]}; do',
             'for NET in "${!NET_FQDN6[@]}"; do'
diff --git a/plugin/plugins/dynamix.unraid.net.plg b/plugin/plugins/dynamix.unraid.net.plg
@@ -10,7 +10,7 @@
   <!ENTITY txz_url "">
   <!ENTITY txz_name "">
   <!ENTITY core_source "/boot/config/plugins/dynamix.my.servers/&core_txz_name;">
-  <!ENTITY core_txz_sha256 "6e6849c8b47dcdd3f6e23806a8656b0c4d33171e5eced06a5d2c8f42097fb7a8">
+  <!ENTITY core_txz_sha256 "360aa04f407be961041556e98fa02ceae9f93c6809d1e99d0574a69eb06ff0fa">
   <!ENTITY core_txz_url "https://pub-7247242eea6d482488594f04a3d7d4be.r2.dev/unraid-0.1.0-2026.01.15.1.txz">
   <!ENTITY core_txz_name "unraid-0.1.0-2026.01.15.1.txz">
   <!ENTITY arch "x86_64">
diff --git a/plugin/source/dynamix.unraid.net/etc/rc.d/rc.unraid b/plugin/source/dynamix.unraid.net/etc/rc.d/rc.unraid
@@ -29,6 +29,7 @@ export RUN_ERL_LOG="${RUN_ERL_LOG:-$LOG_PATH}"
 export RELEASE_LOG_DIR="${RELEASE_LOG_DIR:-$(dirname "$LOG_PATH")}"
 export RELEASE_NODE="${UNRAID_RELEASE_NODE:-unraid}"
 export RELEASE_DISTRIBUTION="${UNRAID_RELEASE_DISTRIBUTION:-sname}"
+export RELEASE_MODE="${UNRAID_RELEASE_MODE:-interactive}"
 
 # Import user's runtime.exs if exists
 [ -f "$CONFIG_DIR/runtime.exs" ] && export RELEASE_CONFIG_DIR="$CONFIG_DIR"

Original file line number	Diff line number	Diff line change
`@@ -383,6 +383,17 @@ build_locations(){`
`383`	`383`	`include fastcgi_params;`
`384`	`384`	`}`
`385`	`385`	`#`
	`386`	`+ # SSO endpoints (public)`
	`387`	`+ location /auth/sso {`
	`388`	`+ allow all;`
	`389`	`+ proxy_pass http://unix:/var/run/unraid-core.sock:;`
	`390`	`+ proxy_http_version 1.1;`
	`391`	`+ proxy_set_header Host $host;`
	`392`	`+ proxy_set_header X-Real-IP $remote_addr;`
	`393`	`+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
	`394`	`+ proxy_set_header X-Forwarded-Proto $scheme;`
	`395`	`+ }`
	`396`	`+ #`
`386`	`397`	`# Redirect to login page on failed authentication (401)`
`387`	`398`	`#`
`388`	`399`	`error_page 401 @401;`