[PR #1579] WIP: auth-user-header: Support for Authelia, etc. #1647

New issue

Open

opened 2026-05-07 01:03:04 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 01:03:04 +02:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/binwiederhier/ntfy/pull/1579
Author: @binwiederhier
Created: 1/30/2026
Status: 🔄 Open

Base: main ← Head: user-header

---

📝 Commits (6)

• 46cb9f2 User header
• b67ffa4 Auth logout URL, auth proxy
• 9b1be51 Remove auth_mode
• 099cad0 Sw stuff
• 857f574 Merge branch 'main' into user-header
• 9e755a7 This works

📊 Changes

13 files changed (+281 additions, -41 deletions)

View changed files

📝 Dockerfile-build (+1 -0)
📝 cmd/serve.go (+28 -9)
📝 server/config.go (+4 -0)
📝 server/server.go (+29 -0)
📝 server/server.yml (+21 -0)
📝 server/server_test.go (+96 -0)
📝 server/types.go (+2 -0)
📝 web/public/config.js (+2 -0)
📝 web/public/sw.js (+38 -21)
📝 web/src/app/AccountApi.js (+23 -1)
📝 web/src/app/Session.js (+5 -1)
📝 web/src/components/ActionBar.jsx (+23 -7)
📝 web/src/components/Login.jsx (+9 -2)

📄 Description

This implements #601. It partially works. I tested it with Authelia.

What works

• The configured auth-user-header (e.g. Remote-User) is passed from Authelia to ntfy, and ntfy then uses that header to pick the configured user in the backend
• The web app redirects to Authelia when not logged in (this was very difficult due to aggressive service worker caching!)
• The web app displays a logout button if auth-logout-url is configured, which allows you to log out via Authelia

What doesn't work

• There seems to be a race when loading the web app that first initializes the database using "no user" (the ntfy IndexedDB is used instead of ntfy-$username), which leads to the wrong topics being shown in the sidebar. This can be easily reproduced when switching between users.
• ❓ ❓ I have no idea how the Android app is supposed to work at all with this.

Setup

ntfy/server.yml

auth-file: ...
auth-user-header: Remote-User
auth-logout-url: 

Caddyfile

auth.dev.ntfy.sh {
  tls /etc/letsencrypt/live/dev.ntfy.sh/fullchain.pem /etc/letsencrypt/live/dev.ntfy.sh/privkey.pem
  reverse_proxy authelia:9091
}

ntfy.dev.ntfy.sh {
  tls /etc/letsencrypt/live/dev.ntfy.sh/fullchain.pem /etc/letsencrypt/live/dev.ntfy.sh/privkey.pem

  forward_auth authelia:9091 {
    uri /api/verify?rd=https://auth.dev.ntfy.sh/
    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
  }

  reverse_proxy host.docker.internal:2586
}

authelia/configuration.yml

server:
  address: tcp://0.0.0.0:9091

log:
  level: info

authentication_backend:
  file:
    path: /config/users.yml
    password:
      algorithm: argon2id

access_control:
  default_policy: one_factor

session:
  secret: "REPLACE_WITH_LONG_RANDOM_1________________________________________"
  cookies:
    - domain: "dev.ntfy.sh"
      authelia_url: "https://auth.dev.ntfy.sh"
  expiration: 1h
  inactivity: 5m

storage:
  encryption_key: "REPLACE_WITH_LONG_RANDOM_2________________________________________"
  local:
    path: /config/db.sqlite3

notifier:
  filesystem:
    filename: /config/notification.txt

identity_validation:
  reset_password:
    jwt_secret: "REPLACE_WITH_LONG_RANDOM_3________________________________________"

docker-compose.yml

services:
  caddy:
    image: caddy:2
    ports:
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - caddy_data:/data
      - caddy_config:/config
    networks: [auth]
    extra_hosts:
      - "host.docker.internal:host-gateway"

  authelia:
    image: authelia/authelia:latest
    volumes:
      - ./authelia:/config
    networks: [auth]

networks:
  auth: {}

volumes:
  caddy_data: {}
  caddy_config: {}

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/binwiederhier/ntfy/pull/1579 **Author:** [@binwiederhier](https://github.com/binwiederhier) **Created:** 1/30/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `user-header` --- ### 📝 Commits (6) - [`46cb9f2`](https://github.com/binwiederhier/ntfy/commit/46cb9f2b41e847c3ac51c85b37684ba79a1ba705) User header - [`b67ffa4`](https://github.com/binwiederhier/ntfy/commit/b67ffa4f5fc4fd5c056275a9388feac83fba703f) Auth logout URL, auth proxy - [`9b1be51`](https://github.com/binwiederhier/ntfy/commit/9b1be517eabee6691414602ab7a467b4bd56ae2d) Remove auth_mode - [`099cad0`](https://github.com/binwiederhier/ntfy/commit/099cad02b85075a5cb8ea440ee508c76074e1e3d) Sw stuff - [`857f574`](https://github.com/binwiederhier/ntfy/commit/857f5742b9f784b929454e382a23472b2f848ca0) Merge branch 'main' into user-header - [`9e755a7`](https://github.com/binwiederhier/ntfy/commit/9e755a73f0464cb54c2bb9705f9ae98c339ec6f8) This works ### 📊 Changes **13 files changed** (+281 additions, -41 deletions) <details> <summary>View changed files</summary> 📝 `Dockerfile-build` (+1 -0) 📝 `cmd/serve.go` (+28 -9) 📝 `server/config.go` (+4 -0) 📝 `server/server.go` (+29 -0) 📝 `server/server.yml` (+21 -0) 📝 `server/server_test.go` (+96 -0) 📝 `server/types.go` (+2 -0) 📝 `web/public/config.js` (+2 -0) 📝 `web/public/sw.js` (+38 -21) 📝 `web/src/app/AccountApi.js` (+23 -1) 📝 `web/src/app/Session.js` (+5 -1) 📝 `web/src/components/ActionBar.jsx` (+23 -7) 📝 `web/src/components/Login.jsx` (+9 -2) </details> ### 📄 Description This implements #601. It partially works. I tested it with Authelia. ### What works - The configured `auth-user-header` (e.g. `Remote-User`) is passed from Authelia to ntfy, and ntfy then uses that header to pick the configured user in the backend - The web app redirects to Authelia when not logged in (this was very difficult due to aggressive service worker caching!) - The web app displays a logout button if `auth-logout-url` is configured, which allows you to log out via Authelia <img width="484" height="343" alt="image" src="https://github.com/user-attachments/assets/1a92ee87-a32d-4501-86f0-2a5de6c71536" /> ### What doesn't work - There seems to be a race when loading the web app that first initializes the database using "no user" (the `ntfy` IndexedDB is used instead of `ntfy-$username`), which leads to the wrong topics being shown in the sidebar. This can be easily reproduced when switching between users. - :question: :question: I have no idea how the Android app is supposed to work at all with this. <img width="493" height="412" alt="image" src="https://github.com/user-attachments/assets/5d4f2b21-8375-4c4b-8052-b5a54595b317" /> ## Setup ### ntfy/server.yml ``` auth-file: ... auth-user-header: Remote-User auth-logout-url: ``` ### Caddyfile ``` auth.dev.ntfy.sh { tls /etc/letsencrypt/live/dev.ntfy.sh/fullchain.pem /etc/letsencrypt/live/dev.ntfy.sh/privkey.pem reverse_proxy authelia:9091 } ntfy.dev.ntfy.sh { tls /etc/letsencrypt/live/dev.ntfy.sh/fullchain.pem /etc/letsencrypt/live/dev.ntfy.sh/privkey.pem forward_auth authelia:9091 { uri /api/verify?rd=https://auth.dev.ntfy.sh/ copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } reverse_proxy host.docker.internal:2586 } ``` ### authelia/configuration.yml ``` server: address: tcp://0.0.0.0:9091 log: level: info authentication_backend: file: path: /config/users.yml password: algorithm: argon2id access_control: default_policy: one_factor session: secret: "REPLACE_WITH_LONG_RANDOM_1________________________________________" cookies: - domain: "dev.ntfy.sh" authelia_url: "https://auth.dev.ntfy.sh" expiration: 1h inactivity: 5m storage: encryption_key: "REPLACE_WITH_LONG_RANDOM_2________________________________________" local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/notification.txt identity_validation: reset_password: jwt_secret: "REPLACE_WITH_LONG_RANDOM_3________________________________________" ``` ### docker-compose.yml ``` services: caddy: image: caddy:2 ports: - "443:443/tcp" - "443:443/udp" volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro - /etc/letsencrypt:/etc/letsencrypt:ro - caddy_data:/data - caddy_config:/config networks: [auth] extra_hosts: - "host.docker.internal:host-gateway" authelia: image: authelia/authelia:latest volumes: - ./authelia:/config networks: [auth] networks: auth: {} volumes: caddy_data: {} caddy_config: {} ``` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

BreizhHardware added the

pull-request

label 2026-05-07 01:03:04 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#1647

No description provided.