From 77658d19dd2e89961f7702b82cfee771d8a5b516 Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Fri, 31 Jul 2020 06:21:39 +0200
Subject: [PATCH 1/3] Update env for custom guard.

---
 .env.example | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.env.example b/.env.example
index 67e573fc3d..0184109765 100644
--- a/.env.example
+++ b/.env.example
@@ -173,12 +173,23 @@ LOGIN_PROVIDER=eloquent
 # It's also possible to change the way users are authenticated. You could use Authelia for example.
 # Authentication via the REMOTE_USER header is supported. Change the value below to "remote_user_guard".
 #
+# This will also allow Windows SSO.
+#
 # If you do this please read the documentation for instructions and warnings:
 # https://docs.firefly-iii.org/advanced-installation/authentication
 #
 # This function is available in Firefly III v5.3.0 and higher.
 AUTHENTICATION_GUARD=web
 
+#
+# By default, Firefly III uses the 'REMOTE_USER' header as per RFC 3875.
+# You can also use another header, like AUTH_USER when using Windows SSO.
+# Some systems use X-Auth headers. In that case, use HTTP_X_AUTH_USERNAME or HTTP_X_AUTH_EMAIL
+#
+# Firefly III won't be able to send emails when the header you use isn't an email address.
+#
+AUTHENTICATION_GUARD_HEADER=REMOTE_USER
+
 #
 # Likewise, it's impossible to log out users who's authentication is handled by an external system.
 # Enter a custom URL here that will force a logout (your authentication provider can tell you).
@@ -227,12 +238,6 @@ ADLDAP_LOGIN_FALLBACK=false
 ADLDAP_DISCOVER_FIELD=distinguishedname
 ADLDAP_AUTH_FIELD=distinguishedname
 
-# Will allow SSO if your server provides an AUTH_USER field.
-# You can set the following variables from a file by appending them with _FILE:
-WINDOWS_SSO_ENABLED=false
-WINDOWS_SSO_DISCOVER=samaccountname
-WINDOWS_SSO_KEY=AUTH_USER
-
 # field to sync as local username.
 # You can set the following variable from a file by appending it with _FILE:
 ADLDAP_SYNC_FIELD=userprincipalname

From 981960fcb4945a716e4f868a269886563ec522c0 Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Fri, 31 Jul 2020 06:21:53 +0200
Subject: [PATCH 2/3] Remote user guard accepts custom header

---
 app/Support/Authentication/RemoteUserGuard.php | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/app/Support/Authentication/RemoteUserGuard.php b/app/Support/Authentication/RemoteUserGuard.php
index baf2d94f73..d93b98bcfa 100644
--- a/app/Support/Authentication/RemoteUserGuard.php
+++ b/app/Support/Authentication/RemoteUserGuard.php
@@ -69,16 +69,13 @@ class RemoteUserGuard implements Guard
             return;
         }
         // Get the user identifier from $_SERVER
-        $userID = request()->server('REMOTE_USER') ?? null;
+        $header = config('auth.guard_header', 'REMOTE_USER');
+        $userID = request()->server($header) ?? null;
         if (null === $userID) {
-            Log::debug('No user in REMOTE_USER.');
-            throw new FireflyException('The REMOTE_USER header was unexpectedly empty.');
+            Log::error(sprintf('No user in header "%s".', $header));
+            throw new FireflyException('The guard header was unexpectedly empty. See the logs.');
         }
 
-
-        // do some basic debugging here:
-        // $userID = 'test@firefly';
-
         /** @var User $user */
         $user = $this->provider->retrieveById($userID);
 

From 1e2829ed8ebdd442cd3446e4e7dbe9d76d078359 Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Fri, 31 Jul 2020 06:50:57 +0200
Subject: [PATCH 3/3] New config for custom guard header

---
 config/auth.php      | 3 ++-
 config/ldap_auth.php | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/config/auth.php b/config/auth.php
index 189babdc0a..1b49d38409 100644
--- a/config/auth.php
+++ b/config/auth.php
@@ -33,10 +33,11 @@ return [
     |
     */
 
-    'defaults' => [
+    'defaults'     => [
         'guard'     => envNonEmpty('AUTHENTICATION_GUARD', 'web'),
         'passwords' => 'users',
     ],
+    'guard_header' => envNonEmpty('AUTHENTICATION_GUARD_HEADER', 'REMOTE_USER'),
 
     /*
     |--------------------------------------------------------------------------
diff --git a/config/ldap_auth.php b/config/ldap_auth.php
index 2f395c809b..f661236d38 100644
--- a/config/ldap_auth.php
+++ b/config/ldap_auth.php
@@ -245,9 +245,9 @@ return [
         */
 
         'windows' => [
-            'enabled'         => envNonEmpty('WINDOWS_SSO_ENABLED', false),
-            'locate_users_by' => envNonEmpty('WINDOWS_SSO_DISCOVER', 'samaccountname'),
-            'server_key'      => envNonEmpty('WINDOWS_SSO_KEY', 'AUTH_USER'),
+            'enabled'         => false,
+            'locate_users_by' => 'samaccountname',
+            'server_key'      => 'AUTH_USER',
         ],
     ],