✨(backend) make forward auth request uri header configurable

erincandescent · erincandescent · commit 33fadea71e42 · 2026-04-23T22:08:08.000+02:00
In our deployment we're using Traefik, not nginx, as an ingress.
Traefik uses X-Forwarded-Uri instead of X-Original-Uri. This
adds a setting which lets users adapt Docs to their ingress
proxy of choice

Signed-off-by: Erin Shepherd &lt;erin.shepherd@e43.eu&gt;
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
@@ -1777,10 +1777,13 @@ def attachment_upload(self, request, *args, **kwargs):
 
     def _auth_get_original_url(self, request):
         """
-        Extracts and parses the original URL from the "HTTP_X_ORIGINAL_URL" header.
+        Extracts and parses the original URL from the configured parameter header.
         Raises PermissionDenied if the header is missing.
 
-        The original url is passed by nginx in the "HTTP_X_ORIGINAL_URL" header.
+        The original url is passed by reverse proxy in the header
+        MEDIA_AUTH_URL_PARAMETER setting.
+
+        For nginx (the default) this is set to HTTP_X_ORIGINAL_URL.
         See corresponding ingress configuration in Helm chart and read about the
         nginx.ingress.kubernetes.io/auth-url annotation to understand how the Nginx ingress
         is configured to do this.
@@ -1791,9 +1794,9 @@ def _auth_get_original_url(self, request):
         reasons.
         """
         # Extract the original URL from the request header
-        original_url = request.META.get("HTTP_X_ORIGINAL_URL")
+        original_url = request.META.get(settings.MEDIA_AUTH_URL_PARAMETER)
         if not original_url:
-            logger.debug("Missing HTTP_X_ORIGINAL_URL header in subrequest")
+            logger.debug(f"Missing {settings.MEDIA_AUTH_URL_PARAMETER} header in subrequest")
             raise drf.exceptions.PermissionDenied()
 
         logger.debug("Original url: '%s'", original_url)
diff --git a/src/backend/impress/settings.py b/src/backend/impress/settings.py
@@ -129,6 +129,9 @@ class Base(Configuration):
         default=50, environ_name="SEARCH_INDEXER_QUERY_LIMIT", environ_prefix=None
     )
 
+    MEDIA_AUTH_URL_PARAMETER = values.Value(
+        default="HTTP_X_ORIGINAL_URL", environ_name="MEDIA_AUTH_URL_PARAMETER", environ_prefix=None)
+
     # Static files (CSS, JavaScript, Images)
     STATIC_URL = "/static/"
     STATIC_ROOT = os.path.join(DATA_DIR, "static")

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,9 @@ class Base(Configuration):`
`129`	`129`	`default=50, environ_name="SEARCH_INDEXER_QUERY_LIMIT", environ_prefix=None`
`130`	`130`	`)`
`131`	`131`
	`132`	`+ MEDIA_AUTH_URL_PARAMETER = values.Value(`
	`133`	`+ default="HTTP_X_ORIGINAL_URL", environ_name="MEDIA_AUTH_URL_PARAMETER", environ_prefix=None)`
	`134`	`+`
`132`	`135`	`# Static files (CSS, JavaScript, Images)`
`133`	`136`	`STATIC_URL = "/static/"`
`134`	`137`	`STATIC_ROOT = os.path.join(DATA_DIR, "static")`