Multiple Authentication Backends can be configured (#970)

2025-06-03 09:19:12 -07:00 · 2025-06-03 09:19:12 -07:00 · 8a227fc9b8
commit 8a227fc9b8
parent 8c59d65ee5
2 changed files with 61 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -72,6 +72,15 @@ All environment variables are explained in detail in the docs [here](https://doc
 | TA_LDAP | Configure TA to use LDAP Authentication | [Read more](https://docs.tubearchivist.com/configuration/ldap/) |
 | DISABLE_STATIC_AUTH | Remove authentication from media files, (Google Cast...) | [Read more](https://docs.tubearchivist.com/installation/env-vars/#disable_static_auth) |
 | DJANGO_DEBUG | Return additional error messages, for debug only | Optional |
+| TA_LOGIN_AUTH_MODE | Configure the order of login authentication backends (Default: single) | Optional |
+
+| TA_LOGIN_AUTH_MODE value | Description |
+| ------------------------ | ----------- |
+| single                   | Only use a single backend (default, or LDAP, or Forward auth, selected by TA_LDAP or TA_ENABLE_AUTH_PROXY) |
+| local                    | Use local password database only |
+| ldap                     | Use LDAP backend only |
+| forwardauth              | Use reverse proxy headers only |
+| ldap_local               | Use LDAP backend in addition to the local password database |

 **ElasticSearch**
 | Environment Var | Value | State |
--- a/backend/config/settings.py
+++ b/backend/config/settings.py
@ -195,7 +195,6 @@ if bool(environ.get("TA_LDAP")):
            ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
        }

-    AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",)

 # Database
 # https://docs.djangoproject.com/en/3.2/ref/settings/#databases
@ -239,10 +238,31 @@ if bool(environ.get("TA_ENABLE_AUTH_PROXY")):

    MIDDLEWARE.append("user.src.remote_user_auth.HttpRemoteUserMiddleware")

+
+# Configure Authentication Backend Combinations
+_login_auth_mode = (environ.get("TA_LOGIN_AUTH_MODE") or "single").casefold()
+if _login_auth_mode == "local":
+    AUTHENTICATION_BACKENDS = ("django.contrib.auth.backends.ModelBackend",)
+elif _login_auth_mode == "ldap":
+    AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",)
+elif _login_auth_mode == "forwardauth":
+    AUTHENTICATION_BACKENDS = (
+        "django.contrib.auth.backends.RemoteUserBackend",
+    )
+elif _login_auth_mode == "ldap_local":
+    AUTHENTICATION_BACKENDS = (
+        "django_auth_ldap.backend.LDAPBackend",
+        "django.contrib.auth.backends.ModelBackend",
+    )
+else:
+    # If none of these cases match, AUTHENTICATION_BACKENDS is unset, which
+    # means the ModelBackend should be used by default
+    if bool(environ.get("TA_LDAP")):
+        AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",)
+    if bool(environ.get("TA_ENABLE_AUTH_PROXY")):
        AUTHENTICATION_BACKENDS = (
            "django.contrib.auth.backends.RemoteUserBackend",
        )
-

 # Internationalization
 # https://docs.djangoproject.com/en/3.2/topics/i18n/