Skip to content

feat: enhance passkey to support reverse proxy (trusted proxies config)#11935

Closed
Copilot wants to merge 2 commits intodev-v2from
copilot/review-pull-11866
Closed

feat: enhance passkey to support reverse proxy (trusted proxies config)#11935
Copilot wants to merge 2 commits intodev-v2from
copilot/review-pull-11866

Conversation

Copy link
Contributor

Copilot AI commented Feb 24, 2026
edited
Loading

Passkey previously required direct TLS termination at 1Panel. When running behind a reverse proxy, HTTPS was not detected, making passkey unusable even with a valid domain bound.

Changes

Backend (core/app/service/auth.go)

  • Remove hard SSL-setting gate from passkeyEnabled(); HTTPS detection now relies solely on request scheme
  • Extend passkeyRequestScheme() to honor Forwarded / X-Forwarded-Proto headers only when the request originates from a trusted proxy IP/CIDR
  • Add loadPasskeyTrustedProxies() / parsePasskeyTrustedProxies() — reads PasskeyTrustedProxies setting (default: 127.0.0.1, ::1)
  • Add passkeyForwardedProto() and passkeyXForwardedProto() parsers

Backend (core/app/api/v2/setting.go, core/app/dto/setting.go)

  • Expose PasskeyTrustedProxies as a persisted setting with server-side IP/CIDR normalization and validation via normalizePasskeyTrustedProxies()

Frontend

  • Passkey drawer restructured into two tabs: Key Management and Advanced
  • Advanced tab: textarea to configure trusted proxy IPs/CIDRs, saved via existing updateSetting API
  • Registration availability now gates on bindDomain being set (not SSL status), matching the actual server-side requirement
  • New i18n keys: passkeyKeyManagement, passkeyTrustedProxies, passkeyTrustedProxiesHelper; updated passkeyRequireSSL message

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@f2c-ci-robot
Copy link

f2c-ci-robot bot commented Feb 24, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@wanghe-fit2cloud
feat: enhance passkey function to support reverse proxy configuration
b7e99a0 
Co-authored-by: wanghe-fit2cloud <46734380+wanghe-fit2cloud@users.noreply.github.com>
@f2c-ci-robot
Copy link

f2c-ci-robot bot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from wanghe-fit2cloud. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI changed the title [WIP] Review changes in pull request #11866 feat: enhance passkey to support reverse proxy (trusted proxies config) Feb 24, 2026
@HynoR
Copy link
Contributor

HynoR commented Feb 24, 2026
edited
Loading

建议用codex 的 review 功能 + AGENTS.md 索引指导,效果比较好。 github copilot 的 review 功能一言难尽。如果需要 review 是在其他人 pr 上 @ copilot 去 review。 这里他直接照抄我的东西了 :(

@maninhill maninhill deleted the copilot/review-pull-11866 branch February 26, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@wanghe-fit2cloud wanghe-fit2cloud

Copilot code review Copilot

Labels

do-not-merge/release-note-label-needed do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@HynoR @wanghe-fit2cloud