feat(auth): implement Home Assistant Ingress auth

- Add required API permissions and cURL extension to configuration
- Implement HomeAssistantAuthMiddleware with graceful Supervisor proxy fallback for direct-port logins
- Automate middleware injection via a sequenced S6-overlay v3 oneshot service
- Update DOCS.md to detail the new 'enable_ingress_auth' option

Author: coaster3000

grocy/DOCS.md

@@ -218,6 +218,15 @@ equal Sunday:
 - `calendar_first_day_of_week`
 - `meal_plan_first_day_of_week`
 
+### Option: `enable_ingress_auth`
+
+Enables authentication through home assistant, automatically logging users in with their current home assistant session when accessed through ingress. 
+
+Additionally allows authenticating a user through home assistant's supervisor when accessing directly without ingress.
+
+Default is `false`.
+
+
 ### Option: `grocy_ingress_user`
 
 Allows you to specify a default ingress user if desired (e.g. `admin`).

grocy/Dockerfile

@@ -20,6 +20,7 @@ RUN \
         php85-exif=8.5.6-r0 \
         php85-fileinfo=8.5.6-r0 \
         php85-fpm=8.5.6-r0 \
+        php85-curl=8.5.6-r0 \
         php85-gd=8.5.6-r0 \
         php85-iconv=8.5.6-r0 \
         php85-intl=8.5.6-r0 \

grocy/config.yaml

@@ -4,6 +4,8 @@ version: dev
 slug: grocy
 description: ERP beyond your fridge! A groceries & household management solution for your home
 url: https://github.com/hassio-addons/app-grocy
+hassio_api: true
+auth_api: true
 ingress: true
 ingress_stream: true
 init: false
@@ -49,6 +51,7 @@ options:
   ssl: true
   certfile: fullchain.pem
   keyfile: privkey.pem
+  enable_ingress_auth: false
   grocy_ingress_user: ""
 schema:
   log_level: list(trace|debug|info|notice|warning|error|fatal)?
@@ -92,4 +95,5 @@ schema:
   ssl: bool
   certfile: str
   keyfile: str
+  enable_ingress_auth: bool
   grocy_ingress_user: str

grocy/rootfs/etc/s6-overlay/s6-rc.d/init-ingress-auth/dependencies.d/init-grocy

@@ -0,0 +1,25 @@
+#!/usr/bin/with-contenv bashio
+
+CONFIG_FILE="/var/www/grocy/data/config.php"
+
+# 1. ALWAYS clean out any previous middleware matches first
+# This flushes out legacy non-namespaced leftovers from persistent storage
+if [ -f "$CONFIG_FILE" ]; then
+    sed -i "/HomeAssistantAuthMiddleware/d" "$CONFIG_FILE"
+fi
+
+if bashio::config.true 'enable_ingress_auth'; then
+    bashio::log.info "Ingress Auth enabled. Injecting fully-qualified AUTH_CLASS..."
+    
+    if [ ! -f "$CONFIG_FILE" ]; then
+        bashio::log.error "config.php was not found by the script!"
+        exit 1
+    fi
+
+    # 2. Append a fresh, properly namespaced configuration rule
+    echo "" >> "$CONFIG_FILE"
+    echo "Setting('AUTH_CLASS', 'Grocy\\Middleware\\HomeAssistantAuthMiddleware');" >> "$CONFIG_FILE"
+    bashio::log.green "Custom namespace auth class injected successfully."
+else
+    bashio::log.info "Ingress Auth disabled. Configuration verified clean."
+fi

grocy/rootfs/etc/s6-overlay/s6-rc.d/init-ingress-auth/run

@@ -0,0 +1 @@
+oneshot

grocy/rootfs/etc/s6-overlay/s6-rc.d/init-ingress-auth/type

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-ingress-auth/run

grocy/rootfs/etc/s6-overlay/s6-rc.d/init-ingress-auth/up

@@ -0,0 +1,97 @@
+<?php
+
+namespace Grocy\Middleware;
+
+use Grocy\Services\DatabaseService;
+use Grocy\Services\UsersService;
+use Grocy\Services\SessionService;
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+class HomeAssistantAuthMiddleware extends AuthMiddleware
+{
+	public function authenticate(Request $request)
+	{
+		define('GROCY_EXTERNALLY_MANAGED_AUTHENTICATION', true);
+
+		$db = DatabaseService::GetInstance()->GetDbConnection();
+
+		$auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+		$user = $auth->authenticate($request);
+		if ($user !== null)
+		{
+			return $user;
+		}
+
+		$haUserId = $request->getHeaderLine('X-Remote-User-Name');
+		$haDisplayName = $request->getHeaderLine('X-Remote-User-Display-Name');
+
+		if (strlen($haUserId) === 0)
+		{
+			$auth = new SessionAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+			$user = $auth->authenticate($request);
+			if ($user !== null)
+			{
+				return $user;
+			}
+
+			return null;
+			// throw new \Exception('HomeAssistantAuthMiddleware: X-Remote-User-Id header is missing');
+		}
+
+		$user = $db->users()->where('username', $haUserId)->fetch();
+		if ($user == null)
+		{
+			$user = UsersService::GetInstance()->CreateUser($haUserId, $haDisplayName, '', '');
+			$user = $db->users()->where('username', $haUserId)->fetch();
+		}
+
+		return $user;
+	}
+
+	public static function ProcessLogin(array $postParams)
+	{
+		if (isset($postParams['username']) && isset($postParams['password']))
+		{
+			$username = $postParams['username'];
+			$password = $postParams['password'];
+
+			$supervisorToken = getenv('SUPERVISOR_TOKEN');
+			$payload = json_encode([
+				'username' => $username,
+				'password' => $password
+			]);
+
+			$ch = curl_init('http://supervisor/auth');
+			curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
+			curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
+			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+			curl_setopt($ch, CURLOPT_HTTPHEADER, [
+				'Content-Type: application/json',
+				'X-Supervisor-Token: ' . $supervisorToken
+			]);
+
+			$response = curl_exec($ch);
+			$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+			if ($httpCode === 200)
+			{
+				$db = DatabaseService::GetInstance()->GetDbConnection();
+				$user = $db->users()->where('username', $username)->fetch();
+
+				if ($user == null)
+				{
+					UsersService::GetInstance()->CreateUser($username, $username, '', '');
+					$user = $db->users()->where('username', $username)->fetch();
+				}
+
+				$stayLoggedInPermanently = isset($postParams['stay_logged_in']) && $postParams['stay_logged_in'] == 'on';
+				$sessionKey = SessionService::GetInstance()->CreateSession($user->id, $stayLoggedInPermanently);
+				self::SetSessionCookie($sessionKey);
+
+				return true;
+			}
+		}
+
+		return false;
+	}
+}