feat: configurable logout page URL for proxy/hook auth (#3884)

Co-authored-by: Henrique Dias <mail@hacdias.com>
2026-01-23 02:35:10 +00:00 · 2025-11-30 02:44:34 -05:00 · 2025-11-30 02:44:34 -05:00 · b9ac45d5da
commit b9ac45d5da
parent 701522a060
9 changed files with 52 additions and 9 deletions
--- a/http/auth.go
+++ b/http/auth.go
@ -12,7 +12,9 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/golang-jwt/jwt/v5/request"

+	fbAuth "github.com/filebrowser/filebrowser/v2/auth"
 	fbErrors "github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/users"
 )

@ -61,6 +63,22 @@ func (e extractor) ExtractToken(r *http.Request) (string, error) {
 	return "", request.ErrNoTokenInRequest
 }

+func renewableErr(err error, d *data) bool {
+	if d.settings.AuthMethod != fbAuth.MethodProxyAuth || err == nil {
+		return false
+	}
+
+	if d.settings.LogoutPage == settings.DefaultLogoutPage {
+		return false
+	}
+
+	if !errors.Is(err, jwt.ErrTokenExpired) {
+		return false
+	}
+
+	return true
+}
+
 func withUser(fn handleFunc) handleFunc {
 	return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 		keyFunc := func(_ *jwt.Token) (interface{}, error) {
@ -68,13 +86,9 @@ func withUser(fn handleFunc) handleFunc {
 		}

 		var tk authToken
-		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk))
-		if err != nil || !token.Valid {
-			return http.StatusUnauthorized, nil
-		}
-
-		err = jwt.NewValidator(jwt.WithExpirationRequired()).Validate(tk)
-		if err != nil {
+		p := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}), jwt.WithExpirationRequired())
+		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk), request.WithParser(p))
+		if (err != nil || !token.Valid) && !renewableErr(err, d) {
 			return http.StatusUnauthorized, nil
 		}

--- a/http/static.go
+++ b/http/static.go
@ -38,6 +38,7 @@ func handleWithStaticData(w http.ResponseWriter, _ *http.Request, d *data, fSys
 		"Signup":                d.settings.Signup,
 		"NoAuth":                d.settings.AuthMethod == auth.MethodNoAuth,
 		"AuthMethod":            d.settings.AuthMethod,
+		"LogoutPage":            d.settings.LogoutPage,
 		"LoginPage":             auther.LoginPage(),
 		"CSS":                   false,
 		"ReCaptcha":             false,