Problem
AUTH_MODE, helper app-passwords, TRUST_REMOTE_USER_HEADER, public bootstrap routes, and helper auto-enroll now interact in several places. The intended trust boundaries should be documented so future route changes do not accidentally widen access.
Desired outcome
Create a concise route-auth threat model and maintenance checklist.
Acceptance criteria
- Document which endpoints are public, session/proxy-authenticated, app-password-authenticated, or helper-bootstrap eligible.
- Document the reverse-proxy requirement for
TRUST_REMOTE_USER_HEADER=true.
- Document that helper identity headers are not credentials by themselves.
- Add/update tests when new helper-facing routes are introduced.
Problem
AUTH_MODE, helper app-passwords,TRUST_REMOTE_USER_HEADER, public bootstrap routes, and helper auto-enroll now interact in several places. The intended trust boundaries should be documented so future route changes do not accidentally widen access.Desired outcome
Create a concise route-auth threat model and maintenance checklist.
Acceptance criteria
TRUST_REMOTE_USER_HEADER=true.