From 32c43fafd2fbc6e97f9e06af2e2fd69ff0478b17 Mon Sep 17 00:00:00 2001
From: Ross Williams <ross@ross-williams.net>
Date: Mon, 20 Oct 2025 14:40:17 +0000
Subject: [PATCH 1/3] Add deny-on-empty-user feature to ENV auth

Add AUTH_ENV_DENY_EMPTY setting to cause ENV authentication to report
"unauthorized" if the value of the AUTH_ENV_USER_VAR environment
variable is empty. If the environment variable is missing altogether
from the $_SERVER environment, report "failed".

Signed-off-by: Ross Williams <ross@ross-williams.net>
---
 app/config/auth/env.php         |  3 ++-
 app/lib/munkireport/AuthEnv.php | 19 ++++++++++++++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/app/config/auth/env.php b/app/config/auth/env.php
index 7b7157ec4..8fb059319 100644
--- a/app/config/auth/env.php
+++ b/app/config/auth/env.php
@@ -1,5 +1,6 @@
 <?php
 
 return [
-    'env_user_var'            => 'REMOTE_USER',
+    'env_user_var'            => env('AUTH_ENV_USER_VAR', 'REMOTE_USER'),
+    'env_user_deny_empty'     => env('AUTH_ENV_DENY_EMPTY', false),
 ];
diff --git a/app/lib/munkireport/AuthEnv.php b/app/lib/munkireport/AuthEnv.php
index a049892f5..3b0b5d0d5 100644
--- a/app/lib/munkireport/AuthEnv.php
+++ b/app/lib/munkireport/AuthEnv.php
@@ -4,7 +4,7 @@
 
 class AuthEnv extends AbstractAuth
 {
-    private $config;
+    private $config, $login, $authStatus;
 
     public function __construct($config)
     {
@@ -13,6 +13,19 @@ public function __construct($config)
     
     public function login($login, $password)
     {
+        $this->login = getenv($this->config['env_user_var']);
+
+        if ($this->config['env_user_deny_empty'] && empty($this->login)) {
+            if ($this->login === '') {
+                $this->authStatus = 'unauthorized';
+            } elseif ($this->login === false) {
+                $this->authStatus = 'failed';
+            }
+
+            return false;
+        }
+
+        $this->authStatus = 'success';
         return true;
     }
     
@@ -23,12 +36,12 @@ public function getAuthMechanism()
 
     public function getAuthStatus()
     {
-        return 'success';
+        return $this->authStatus;
     }
     
     public function getUser()
     {
-        return getenv($this->config['env_user_var']);
+        return $this->login;
     }
 
     public function getGroups()

From bd27ba6a0e04cb864c307b4e7cf7e92fad1fcc4d Mon Sep 17 00:00:00 2001
From: Ross Williams <ross@ross-williams.net>
Date: Mon, 20 Oct 2025 14:42:35 +0000
Subject: [PATCH 2/3] Fix variable name in app/lib/munkireport/AuthLDAP

private $auth_status should be $authStatus, based on
usage in methods.

Signed-off-by: Ross Williams <ross@ross-williams.net>
---
 app/lib/munkireport/AuthLDAP.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/lib/munkireport/AuthLDAP.php b/app/lib/munkireport/AuthLDAP.php
index b788a15a2..32d8f100b 100644
--- a/app/lib/munkireport/AuthLDAP.php
+++ b/app/lib/munkireport/AuthLDAP.php
@@ -4,7 +4,7 @@
 
 class AuthLDAP extends AbstractAuth
 {
-    private $config, $groups, $login, $auth_status;
+    private $config, $groups, $login, $authStatus;
 
     public function __construct($config)
     {

From 2042c9b9fd25b5a1bd1c9aa61107d7658fa7d22e Mon Sep 17 00:00:00 2001
From: Ross Williams <ross@ross-williams.net>
Date: Tue, 21 Oct 2025 22:54:02 +0000
Subject: [PATCH 3/3] Document ENV authentication changes

Added feature to deny auth if user environment variable is empty

Signed-off-by: Ross Williams <ross@ross-williams.net>
---
 .env.example      | 14 ++++++++++++++
 docs/configure.md |  2 ++
 2 files changed, 16 insertions(+)

diff --git a/.env.example b/.env.example
index 9d25cf01a..26bc8b0c2 100644
--- a/.env.example
+++ b/.env.example
@@ -79,6 +79,7 @@ SITENAME="MunkiReport"
 #
 # AUTH_METHODS can be one of
 # - "NOAUTH": No authentication
+# - "ENV": Environment variable (without password) Authentication
 # - "LOCAL" : Local Users defined as .yml in the "users" folder
 # - "LDAP": LDAP Authentication
 # - "AD": Active Directory Authentication
@@ -86,6 +87,7 @@ SITENAME="MunkiReport"
 #
 # Authentication providers are checked in this order:
 # - Noauth
+# - Environment variable
 # - Generated local user
 # - LDAP
 # - Active Directory
@@ -93,6 +95,18 @@ SITENAME="MunkiReport"
 
 AUTH_METHODS="NOAUTH"
 
+# ENVIRONMENT VARIABLE AUTHENTICATION
+# -------------------------------
+#
+# Read the authenticated username from the
+# given server environment variable. Useful
+# for handling authentication via a reverse
+# proxy (i.e. HTTP header, forward auth, Kerberos)
+AUTH_ENV_USER_VAR="REMOTE_USER"
+# Set to TRUE to fail authentication if the
+# above-named variable is empty or missing.
+AUTH_ENV_DENY_EMPTY=FALSE
+
 # ACTIVE DIRECTORY AUTHENTICATION
 # -------------------------------
 #
diff --git a/docs/configure.md b/docs/configure.md
index 76e2a9780..2a79c68df 100644
--- a/docs/configure.md
+++ b/docs/configure.md
@@ -59,5 +59,7 @@ Munkireport will **not** set the passphrase on the client through the install sc
 - `SITENAME`: The site name which will appear in the title bar of your browser, Default: `MunkiReport`.
 - `AUTH_METHODS`: A comma separated list of supported Authentication methods. Any combination of:
     - `NOAUTH`: No authentication required
+    - `ENV`: Environment variable Authentication
+    - `LOCAL` : Local Users defined as .yml in the `users` folder
     - `LDAP`: LDAP Authentication
     - `AD`: Active Directory Authentication