Allow changing the group separator character

MaienM · MaienM · commit a0a9a95df06e · 2025-09-02T20:24:07.000+02:00
diff --git a/README.md b/README.md
@@ -76,6 +76,7 @@ option](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview?_high
 | Name | Purpose | Default |
 | --- | --- | --- |
 | `HEADER_USERNAME` | The header to look at for the username. Usernames are matched (ignoring case) with the names of the players in the game. | `x-auth-request-preferred-username` |
-| `HEADER_ROLES` | The header to look at for the roles. This must be a comma-separated list. | `x-auth-request-groups` |
+| `HEADER_ROLES` | The header to look at for the roles. | `x-auth-request-groups` |
+| `HEADER_ROLES_SEPARATOR` | The symbol that is used to separate the roles in the header. | `,` |
 | `ROLE_PLAYER` | The role that marks someone as a player. | `role:foundry-vtt:player` |
 | `ROLE_ADMIN` | The role that marks someone as an admin. | `role:foundry-vtt:admin` |
diff --git a/patches.sh b/patches.sh
@@ -2,6 +2,7 @@
 
 HEADER_USERNAME="${HEADER_USERNAME:-"x-auth-request-preferred-username"}"
 HEADER_ROLES="${HEADER_ROLES:-"x-auth-request-groups"}"
+HEADER_ROLES_SEPARATOR="${HEADER_ROLES_SEPARATOR:-","}"
 ROLE_PLAYER="${ROLE_PLAYER:-"role:foundry-vtt:player"}"
 ROLE_ADMIN="${ROLE_ADMIN:-"role:foundry-vtt:admin"}"
 
@@ -45,10 +46,10 @@ patch_append() (
 )
 
 # Replace admin password check with header check.
-patch_sed admin-header-login resources/app/dist/sessions.mjs "s/testPassword(\(\w\+\)\.body\.adminPassword,\w\+,getSalt(config.passwordSalt))/(s.headers['$HEADER_ROLES'].split(',').includes('$ROLE_ADMIN'))/"
+patch_sed admin-header-login resources/app/dist/sessions.mjs "s/testPassword(\(\w\+\)\.body\.adminPassword,\w\+,getSalt(config.passwordSalt))/(s.headers['$HEADER_ROLES'].split('$HEADER_ROLES_SEPARATOR').includes('$ROLE_ADMIN'))/"
 
 # Replace user password check with header check. In addition to the player themselves admins will also be allowed to log in as any player.
-patch_sed user-header-login resources/app/dist/sessions.mjs "s/testPassword(\w\+,\(\w\+\)\.password,\w\+.passwordSalt)/((s.headers['$HEADER_USERNAME'].toLowerCase() === \1.name.toLowerCase() \&\& s.headers['$HEADER_ROLES'].split(',').includes('$ROLE_PLAYER')) || s.headers['$HEADER_ROLES'].split(',').includes('$ROLE_ADMIN'))/"
+patch_sed user-header-login resources/app/dist/sessions.mjs "s/testPassword(\w\+,\(\w\+\)\.password,\w\+.passwordSalt)/((s.headers['$HEADER_USERNAME'].toLowerCase() === \1.name.toLowerCase() \&\& s.headers['$HEADER_ROLES'].split('$HEADER_ROLES_SEPARATOR').includes('$ROLE_PLAYER')) || s.headers['$HEADER_ROLES'].split('$HEADER_ROLES_SEPARATOR').includes('$ROLE_ADMIN'))/"
 
 # Hide password fields.
 patch_append hide-password-fields resources/app/public/css/foundry2.css << END
@@ -59,7 +60,7 @@ patch_append hide-password-fields resources/app/public/css/foundry2.css << END
 END
 
 # Pass information about the user info from the headers to the client side. This is used for auto-login behavior, as well as to hide elements that aren't relevant for players.
-patch_sed track-header-info resources/app/dist/sessions.mjs "s/global\.logger\.info(\`Created client session \${\(\w\+\)\.id}\`)/(t.headerInfo = { username: s.headers['$HEADER_USERNAME'], isAdmin: s.headers['$HEADER_ROLES']?.split(',')?.includes('$ROLE_ADMIN') ?? false }), &/"
+patch_sed track-header-info resources/app/dist/sessions.mjs "s/global\.logger\.info(\`Created client session \${\(\w\+\)\.id}\`)/(t.headerInfo = { username: s.headers['$HEADER_USERNAME'], isAdmin: s.headers['$HEADER_ROLES']?.split('$HEADER_ROLES_SEPARATOR')?.includes('$ROLE_ADMIN') ?? false }), &/"
 patch_sed track-header-info resources/app/dist/server/sockets.mjs 's/\(\w\+\)\.sessionId=\(\w\+\)\.id/&,\1.headerInfo = \2.headerInfo/'
 patch_sed track-header-info resources/app/public/scripts/foundry.mjs 's/id = response\.sessionId;/& localStorage.headerInfo = JSON.stringify(response.headerInfo);/'
 patch_append track-header-info resources/app/public/scripts/foundry.mjs << END
diff --git a/tutorials/authentik_traefik.md b/tutorials/authentik_traefik.md
@@ -6,8 +6,6 @@ This guide supposes you have a working Authentik and Traefik setup on docker. Sp
 
 ## Modifying the patch
 
-You need to modify the patch (`patches.sh`) so that all `split(',')` calles are replaced with `split('|') as Authentik uses `|`as a seprator for multiple roles. This is needed to make the patch work with Authentik. I'm bad at regex and js, so I didn't modify the patch source code to support both`,`and`|`, but you can do it if you want to.
-
 You can skip the next 2 sections if you follow this [Tutorial](https://docs.ibracorp.io/authentik/authentik/docker-compose/traefik-forward-auth-single-applications) to set up Authentik with Traefik Forward Auth.
 
 ## Traefik Forward Auth Configuration
@@ -70,6 +68,7 @@ foundry:
 
       - HEADER_USERNAME=x-authentik-username    # This needs to be lowercase and present as X-authentik-username in traefik dynamic config
       - HEADER_ROLES=x-authentik-groups         # As above, but X-authentik-groups
+      - HEADER_ROLES_SEPARATOR='|'              # The default is ',', but Authentik uses '|'.
       - ROLE_PLAYER=foundry-player              # This is the group name you set in Authentik for players
       - ROLE_ADMIN=foundry-admin                # This is the group name you set in Authentik for admins
 
