From 3702a58777f9d206127340399b17de3363c0d415 Mon Sep 17 00:00:00 2001
From: Corey <755349+corvec@users.noreply.github.com>
Date: Sun, 21 Jan 2024 03:04:52 -0500
Subject: [PATCH] Allow user creation based off username, with a config
 supplied domain

---
 src/invidious/config.cr       | 15 ++++++++++++++-
 src/invidious/routes/login.cr | 22 ++++++++++++++++++++--
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/src/invidious/config.cr b/src/invidious/config.cr
index a00df60a..822ddb04 100644
--- a/src/invidious/config.cr
+++ b/src/invidious/config.cr
@@ -118,7 +118,20 @@ class Config
   # Enable auto-registration when logging in with reverse proxy auth
   property reverse_proxy_registration_enabled : Bool = false
   # Header that will contain the username, email address,
-  property reverse_proxy_auth_header : String = "Remote-User"
+  property reverse_proxy_auth_user_header : String = "Remote-User"
+  property reverse_proxy_auth_email_header : String = "Remote-Email"
+  # If set to false, ignore the User header and only use the Email header.
+  # If set to a string, then this behavior will be used:
+  # if the email is blank, the email will instead be set to ${User}@${Domain}, where
+  # ${User} is the value in the Remote-User header and ${Domain} is the value of this property.
+  property reverse_proxy_auth_domain : Bool | String = false
+  # Does nothing if the reverse_proxy_auth_domain property is false.
+  # Does nothing if the reverse_proxy_auth_require_user property is true.
+  # If set to true, then the User header is preferred over the Email header.
+  property reverse_proxy_auth_prefer_user : Bool = false
+  # Does nothing if the reverse_proxy_auth_domain property is false.
+  # If set to true, then the Email header is ignored.
+  property reverse_proxy_auth_require_user : Bool = false
 
   # URL to the modified source code to be easily AGPL compliant
   # Will display in the footer, next to the main source code link
diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr
index e82ddcce..5c4c1b49 100644
--- a/src/invidious/routes/login.cr
+++ b/src/invidious/routes/login.cr
@@ -44,8 +44,26 @@ module Invidious::Routes::Login
     captcha = nil
 
     if CONFIG.reverse_proxy_auth_enabled
-      user ||= env.request.headers[CONFIG.reverse_proxy_auth_user_header]
-      email ||= env.request.headers[CONFIG.reverse_proxy_auth_email_header]
+      user = env.request.headers[CONFIG.reverse_proxy_auth_user_header]
+      email = env.request.headers[CONFIG.reverse_proxy_auth_email_header]
+      domain = CONFIG.reverse_proxy_auth_domain
+      email_regex = /^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/
+      has_valid_email = email && email_regex.match(email)
+
+      if !domain
+        # Do nothing; here to enable flattening the conditional structure
+      elsif CONFIG.reverse_proxy_auth_require_user
+        email = "#{user}@#{domain}"
+        has_valid_email = email && email_regex.match(email)
+      elsif CONFIG.reverse_proxy_auth_prefer_user
+        if user
+          email = "#{user}@#{domain}"
+          has_valid_email = email && email_regex.match(email)
+        end
+      elsif !has_valid_email && user
+        email = "#{user}@#{domain}"
+        has_valid_email = email && email_regex.match(email)
+      end
 
       user = Invidious::Database::Users.select(email: email)
       if user