From b4d6f01432276556672aac48b8e1974d6e92d9e4 Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Thu, 8 May 2025 04:43:33 -0400
Subject: [PATCH] feat(admin): add proxy-only auth bypass and configurable auth
 header (closes #28)

---
 CHANGELOG.md                        | 53 +++++++++++++++++-
 config/config.php                   | 56 +++++++++++++++++++
 public/js/adminPanel.js             | 83 ++++++++++++++++++++---------
 public/js/auth.js                   | 15 +++++-
 src/controllers/AdminController.php | 23 +++++++-
 src/controllers/AuthController.php  | 78 +++++++++++++--------------
 src/models/AdminModel.php           | 45 ++++++++++++++--
 7 files changed, 278 insertions(+), 75 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 300fdc9..ab61c7a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,56 @@
 # Changelog
 
+## Changes 5/8/2025 v1.3.2
+
+### config/config.php
+
+- Added a default `define('AUTH_BYPASS', false)` at the top so the constant always exists.
+- Removed the static `AUTH_HEADER` fallback; instead read the adminConfig.json at the end of the file and:
+  - Overwrote `AUTH_BYPASS` with the `loginOptions.authBypass` setting from disk.
+  - Defined `AUTH_HEADER` (normalized, e.g. `"X_REMOTE_USER"`) based on `loginOptions.authHeaderName`.
+- Inserted a **proxy-only auto-login** block *before* the usual session/auth checks:  
+  If `AUTH_BYPASS` is true and the trusted header (`$_SERVER['HTTP_' . AUTH_HEADER]`) is present, bump the session, mark the user authenticated/admin, load their permissions, and skip straight to JSON output.
+
+### src/controllers/AdminController.php
+
+- Ensured the returned `loginOptions` object always contains:
+  - `authBypass` (boolean, default false)
+  - `authHeaderName` (string, default `"X-Remote-User"`)
+- Read `authBypass` and `authHeaderName` from the nested `loginOptions` in the request payload.
+- Validated them (`authBypass` → bool; `authHeaderName` → non-empty string, fallback to `"X-Remote-User"`).
+- Included them when building the `$configUpdate` array to pass to the model.
+
+### src/models/AdminModel.php
+
+- Normalized `loginOptions.authBypass` to a boolean (default false).
+- Validated/truncated `loginOptions.authHeaderName` to a non-empty trimmed string (default `"X-Remote-User"`).
+- JSON-encoded and encrypted the full config, now including the two new fields.
+- After decrypting & decoding, normalized the loaded `loginOptions` to always include:
+  - `authBypass` (bool)
+  - `authHeaderName` (string, default `"X-Remote-User"`)
+- Left all existing defaults & validations for the original flags intact.
+
+### public/js/adminPanel.js
+
+- **Login Options** section:
+  - Added a checkbox for **Disable All Built-in Logins (proxy only)** (`authBypass`).
+  - Added a text input for **Auth Header Name** (`authHeaderName`).
+- In `handleSave()`:
+  - Included the new `authBypass` and `authHeaderName` values in the payload sent to `updateConfig.php`.
+- In `openAdminPanel()`:
+  - Initialized those inputs from `config.loginOptions.authBypass` and `config.loginOptions.authHeaderName`.
+
+### public/js/auth.js
+
+- In `loadAdminConfigFunc()`:
+  - Stored `authBypass` and `authHeaderName` in `localStorage`.
+- In `checkAuthentication()`:
+  - After a successful login check, called a new helper (`applyProxyBypassUI()`) which reads `localStorage.authBypass` and conditionally hides the entire login form/UI.
+  - In the “not authenticated” branch, only shows the login form if `authBypass` is false.
+- No other core fetch/token logic changed; all existing flows remain intact.
+
+---
+
 ## Changes 5/4/2025 v1.3.1
 
 ### Modals
@@ -20,7 +71,7 @@
 - **Inserted** inline `<style>` in `<head>` to:
   - Hide `.main-wrapper` by default.
   - Style `#loadingOverlay` as a full-viewport white overlay.
-  
+
 - **Added** `addUserModal`, `removeUserModal` & `renameFileModal` modals to `style="display:none;"`
 
 ### `main.js`
diff --git a/config/config.php b/config/config.php
index 7dfd828..2be927b 100644
--- a/config/config.php
+++ b/config/config.php
@@ -35,6 +35,7 @@ define('REGEX_USER',       '/^[\p{L}\p{N}_\- ]+$/u');
 
 date_default_timezone_set(TIMEZONE);
 
+
 // Encryption helpers
 function encryptData($data, $encryptionKey)
 {
@@ -114,6 +115,7 @@ if (empty($_SESSION['csrf_token'])) {
     $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }
 
+
 // Auto‑login via persistent token
 if (empty($_SESSION["authenticated"]) && !empty($_COOKIE['remember_me_token'])) {
     $tokFile = USERS_DIR . 'persistent_tokens.json';
@@ -140,6 +142,60 @@ if (empty($_SESSION["authenticated"]) && !empty($_COOKIE['remember_me_token']))
     }
 }
 
+$adminConfigFile = USERS_DIR . 'adminConfig.json';
+
+// sane defaults:
+$cfgAuthBypass = false;
+$cfgAuthHeader = 'X_REMOTE_USER';
+
+if (file_exists($adminConfigFile)) {
+    $encrypted = file_get_contents($adminConfigFile);
+    $decrypted = decryptData($encrypted, $encryptionKey);
+    $adminCfg  = json_decode($decrypted, true) ?: [];
+
+    $loginOpts = $adminCfg['loginOptions'] ?? [];
+
+    // proxy-only bypass flag
+    $cfgAuthBypass = ! empty($loginOpts['authBypass']);
+
+    // header name (e.g. “X-Remote-User” → HTTP_X_REMOTE_USER)
+    $hdr = trim($loginOpts['authHeaderName'] ?? '');
+    if ($hdr === '') {
+        $hdr = 'X-Remote-User';
+    }
+    // normalize to PHP’s $_SERVER key format:
+    $cfgAuthHeader = 'HTTP_' . strtoupper(str_replace('-', '_', $hdr));
+}
+
+define('AUTH_BYPASS',  $cfgAuthBypass);
+define('AUTH_HEADER',  $cfgAuthHeader);
+
+// ─────────────────────────────────────────────────────────────────────────────
+// PROXY-ONLY AUTO–LOGIN now uses those constants:
+if (AUTH_BYPASS) {
+    $hdrKey = AUTH_HEADER;   // e.g. "HTTP_X_REMOTE_USER"
+    if (!empty($_SERVER[$hdrKey])) {
+        // regenerate once per session
+        if (empty($_SESSION['authenticated'])) {
+            session_regenerate_id(true);
+        }
+
+        $username = $_SERVER[$hdrKey];
+        $_SESSION['authenticated'] = true;
+        $_SESSION['username']      = $username;
+
+        // ◾ lookup actual role instead of forcing admin
+        require_once PROJECT_ROOT . '/src/models/AuthModel.php';
+        $role = AuthModel::getUserRole($username);
+        $_SESSION['isAdmin'] = ($role === '1');
+
+        // carry over any folder/read/upload perms
+        $perms = loadUserPermissions($username) ?: [];
+        $_SESSION['folderOnly']    = $perms['folderOnly']    ?? false;
+        $_SESSION['readOnly']      = $perms['readOnly']      ?? false;
+        $_SESSION['disableUpload'] = $perms['disableUpload'] ?? false;
+    }
+}
 // Share URL fallback
 define('BASE_URL', 'http://yourwebsite/uploads/');
 if (strpos(BASE_URL, 'yourwebsite') !== false) {
diff --git a/public/js/adminPanel.js b/public/js/adminPanel.js
index 91b8afa..c9a13a5 100644
--- a/public/js/adminPanel.js
+++ b/public/js/adminPanel.js
@@ -3,7 +3,7 @@ import { loadAdminConfigFunc } from './auth.js';
 import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
 import { sendRequest } from './networkUtils.js';
 
-const version = "v1.3.1";
+const version = "v1.3.2";
 const adminTitle = `${t("admin_panel")} <small style="font-size:12px;color:gray;">${version}</small>`;
 
 // ————— Inject updated styles —————
@@ -188,8 +188,8 @@ function loadShareLinksSection() {
   // on non-2xx (including 404) or network error, resolve to {}
   function fetchMeta(fileName) {
     return fetch(`/api/admin/readMetadata.php?file=${encodeURIComponent(fileName)}`, {
-        credentials: "include"
-      })
+      credentials: "include"
+    })
       .then(resp => {
         if (!resp.ok) {
           // 404 or any other non-OK → treat as empty
@@ -204,9 +204,9 @@ function loadShareLinksSection() {
   }
 
   Promise.all([
-      fetchMeta("share_folder_links.json"),
-      fetchMeta("share_links.json")
-    ])
+    fetchMeta("share_folder_links.json"),
+    fetchMeta("share_links.json")
+  ])
     .then(([folders, files]) => {
       // if *both* are empty, show "no shared links"
       const hasAny = Object.keys(folders).length || Object.keys(files).length;
@@ -257,11 +257,11 @@ function loadShareLinksSection() {
             : "/api/file/deleteShareLink.php";
 
           fetch(endpoint, {
-              method: "POST",
-              credentials: "include",
-              headers: { "Content-Type": "application/x-www-form-urlencoded" },
-              body: new URLSearchParams({ token })
-            })
+            method: "POST",
+            credentials: "include",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({ token })
+          })
             .then(res => {
               if (!res.ok) throw new Error(`HTTP ${res.status}`);
               return res.json();
@@ -399,6 +399,14 @@ export function openAdminPanel() {
           <div class="form-group"><input type="checkbox" id="disableFormLogin" /> <label for="disableFormLogin">${t("disable_login_form")}</label></div>
           <div class="form-group"><input type="checkbox" id="disableBasicAuth" /> <label for="disableBasicAuth">${t("disable_basic_http_auth")}</label></div>
           <div class="form-group"><input type="checkbox" id="disableOIDCLogin" /> <label for="disableOIDCLogin">${t("disable_oidc_login")}</label></div>
+          <div class="form-group">
+            <input type="checkbox" id="authBypass" />
+            <label for="authBypass">Disable all built-in logins (proxy only)</label>
+          </div>
+          <div class="form-group">
+            <label for="authHeaderName">Auth header name:</label>
+            <input type="text" id="authHeaderName" class="form-control" placeholder="e.g. X-Remote-User" />
+          </div>
         `;
 
         // — WebDAV —
@@ -441,11 +449,20 @@ export function openAdminPanel() {
               }
             });
         });
+        // If authBypass is checked, clear the other three
+        document.getElementById("authBypass").addEventListener("change", e => {
+          if (e.target.checked) {
+            ["disableFormLogin", "disableBasicAuth", "disableOIDCLogin"]
+              .forEach(i => document.getElementById(i).checked = false);
+          }
+        });
 
         // Initialize inputs from config + capture
         document.getElementById("disableFormLogin").checked = config.loginOptions.disableFormLogin === true;
         document.getElementById("disableBasicAuth").checked = config.loginOptions.disableBasicAuth === true;
         document.getElementById("disableOIDCLogin").checked = config.loginOptions.disableOIDCLogin === true;
+        document.getElementById("authBypass").checked = !!config.loginOptions.authBypass;
+        document.getElementById("authHeaderName").value = config.loginOptions.authHeaderName || "X-Remote-User";
         document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
         document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
         captureInitialAdminConfig();
@@ -457,6 +474,8 @@ export function openAdminPanel() {
         document.getElementById("disableFormLogin").checked = config.loginOptions.disableFormLogin === true;
         document.getElementById("disableBasicAuth").checked = config.loginOptions.disableBasicAuth === true;
         document.getElementById("disableOIDCLogin").checked = config.loginOptions.disableOIDCLogin === true;
+        document.getElementById("authBypass").checked = !!config.loginOptions.authBypass;
+        document.getElementById("authHeaderName").value = config.loginOptions.authHeaderName || "X-Remote-User";
         document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
         document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
         document.getElementById("oidcProviderUrl").value = window.currentOIDCConfig.providerUrl;
@@ -471,19 +490,21 @@ export function openAdminPanel() {
 }
 
 function handleSave() {
-  const dFL = document.getElementById("disableFormLogin").checked;
-  const dBA = document.getElementById("disableBasicAuth").checked;
-  const dOIDC = document.getElementById("disableOIDCLogin").checked;
-  const eWD = document.getElementById("enableWebDAV").checked;
-  const sMax = parseInt(document.getElementById("sharedMaxUploadSize").value, 10) || 0;
-  const nHT = document.getElementById("headerTitle").value.trim();
-  const nOIDC = {
+  const dFL    = document.getElementById("disableFormLogin").checked;
+  const dBA    = document.getElementById("disableBasicAuth").checked;
+  const dOIDC  = document.getElementById("disableOIDCLogin").checked;
+  const aBypass= document.getElementById("authBypass").checked;
+  const aHeader= document.getElementById("authHeaderName").value.trim() || "X-Remote-User";
+  const eWD    = document.getElementById("enableWebDAV").checked;
+  const sMax   = parseInt(document.getElementById("sharedMaxUploadSize").value, 10) || 0;
+  const nHT    = document.getElementById("headerTitle").value.trim();
+  const nOIDC  = {
     providerUrl: document.getElementById("oidcProviderUrl").value.trim(),
-    clientId: document.getElementById("oidcClientId").value.trim(),
-    clientSecret: document.getElementById("oidcClientSecret").value.trim(),
+    clientId:    document.getElementById("oidcClientId").value.trim(),
+    clientSecret:document.getElementById("oidcClientSecret").value.trim(),
     redirectUri: document.getElementById("oidcRedirectUri").value.trim()
   };
-  const gURL = document.getElementById("globalOtpauthUrl").value.trim();
+  const gURL   = document.getElementById("globalOtpauthUrl").value.trim();
 
   if ([dFL, dBA, dOIDC].filter(x => x).length === 3) {
     showToast(t("at_least_one_login_method"));
@@ -491,12 +512,22 @@ function handleSave() {
   }
 
   sendRequest("/api/admin/updateConfig.php", "POST", {
-    header_title: nHT, oidc: nOIDC,
-    disableFormLogin: dFL, disableBasicAuth: dBA, disableOIDCLogin: dOIDC,
-    enableWebDAV: eWD, sharedMaxUploadSize: sMax, globalOtpauthUrl: gURL
+    header_title: nHT,
+    oidc: nOIDC,
+    loginOptions: {
+      disableFormLogin: dFL,
+      disableBasicAuth: dBA,
+      disableOIDCLogin: dOIDC,
+      authBypass:       aBypass,
+      authHeaderName:   aHeader
+    },
+    enableWebDAV:         eWD,
+    sharedMaxUploadSize:  sMax,
+    globalOtpauthUrl:     gURL
   }, {
     "X-CSRF-Token": window.csrfToken
-  }).then(res => {
+  })
+  .then(res => {
     if (res.success) {
       showToast(t("settings_updated_successfully"), "success");
       captureInitialAdminConfig();
@@ -505,7 +536,7 @@ function handleSave() {
     } else {
       showToast(t("error_updating_settings") + ": " + (res.error || t("unknown_error")), "error");
     }
-  }).catch(() => {/*noop*/ });
+  }).catch(() => {/*noop*/});
 }
 
 export async function closeAdminPanel() {
diff --git a/public/js/auth.js b/public/js/auth.js
index f9fceb4..6066dab 100644
--- a/public/js/auth.js
+++ b/public/js/auth.js
@@ -125,6 +125,13 @@ function updateItemsPerPageSelect() {
   }
 }
 
+function applyProxyBypassUI() {
+  const bypass = localStorage.getItem("authBypass") === "true";
+  const loginContainer = document.getElementById("loginForm");
+  if (loginContainer) {
+    loginContainer.style.display = bypass ? "none" : "";
+  }
+}
 
 function updateLoginOptionsUI({ disableFormLogin, disableBasicAuth, disableOIDCLogin }) {
   const authForm = document.getElementById("authForm");
@@ -146,7 +153,8 @@ function updateLoginOptionsUIFromStorage() {
   updateLoginOptionsUI({
     disableFormLogin: localStorage.getItem("disableFormLogin") === "true",
     disableBasicAuth: localStorage.getItem("disableBasicAuth") === "true",
-    disableOIDCLogin: localStorage.getItem("disableOIDCLogin") === "true"
+    disableOIDCLogin: localStorage.getItem("disableOIDCLogin") === "true",
+    authBypass:      localStorage.getItem("authBypass") === "true"
   });
 }
 
@@ -161,6 +169,8 @@ export function loadAdminConfigFunc() {
       localStorage.setItem("disableBasicAuth", config.loginOptions.disableBasicAuth);
       localStorage.setItem("disableOIDCLogin", config.loginOptions.disableOIDCLogin);
       localStorage.setItem("globalOtpauthUrl", config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
+      localStorage.setItem("authBypass", String(!!config.loginOptions.authBypass));
+      localStorage.setItem("authHeaderName", config.loginOptions.authHeaderName || "X-Remote-User");
 
       updateLoginOptionsUIFromStorage();
 
@@ -301,6 +311,7 @@ function checkAuthentication(showLoginToast = true) {
         localStorage.setItem("readOnly", data.readOnly);
         localStorage.setItem("disableUpload", data.disableUpload);
         updateLoginOptionsUIFromStorage();
+        applyProxyBypassUI();
         if (typeof data.totp_enabled !== "undefined") {
           localStorage.setItem("userTOTPEnabled", data.totp_enabled ? "true" : "false");
         }
@@ -317,7 +328,7 @@ function checkAuthentication(showLoginToast = true) {
         document.querySelector('.main-wrapper').style.display = '';
         document.getElementById('loginForm').style.display = '';
         if (showLoginToast) showToast("Please log in to continue.");
-        toggleVisibility("loginForm", true);
+        toggleVisibility("loginForm", ! (localStorage.getItem("authBypass")==="true"));
         toggleVisibility("mainOperations", false);
         toggleVisibility("uploadFileForm", false);
         toggleVisibility("fileListContainer", false);
diff --git a/src/controllers/AdminController.php b/src/controllers/AdminController.php
index 1e4bc9b..3ee5a42 100644
--- a/src/controllers/AdminController.php
+++ b/src/controllers/AdminController.php
@@ -54,11 +54,22 @@ class AdminController
     {
         header('Content-Type: application/json');
         $config = AdminModel::getConfig();
-
-        // If an error was encountered, send a 500 status.
+    
         if (isset($config['error'])) {
             http_response_code(500);
         }
+    
+        if (!isset($config['loginOptions']) || !is_array($config['loginOptions'])) {
+            $config['loginOptions'] = [];
+        }
+        if (!array_key_exists('authBypass', $config['loginOptions'])) {
+            $config['loginOptions']['authBypass'] = false;
+        }
+        if (!array_key_exists('authHeaderName', $config['loginOptions'])) {
+            $config['loginOptions']['authHeaderName'] = 'X-Remote-User';
+        }
+        // ← END INSERT
+    
         echo json_encode($config);
         exit;
     }
@@ -203,6 +214,12 @@ class AdminController
             $sharedMaxUploadSize = filter_var($data['features']['sharedMaxUploadSize'], FILTER_VALIDATE_INT);
         }
 
+        $authBypass     = filter_var(
+            $data['loginOptions']['authBypass'] ?? false,
+            FILTER_VALIDATE_BOOLEAN
+        );
+        $authHeaderName = trim($data['loginOptions']['authHeaderName'] ?? '') ?: 'X-Remote-User';
+
         $configUpdate = [
             'header_title'         => $headerTitle,
             'oidc'                 => [
@@ -215,6 +232,8 @@ class AdminController
                 'disableFormLogin' => $disableFormLogin,
                 'disableBasicAuth' => $disableBasicAuth,
                 'disableOIDCLogin' => $disableOIDCLogin,
+                'authBypass'       => $authBypass,
+                'authHeaderName'   => $authHeaderName,
             ],
             'globalOtpauthUrl'     => $globalOtpauthUrl,
             'enableWebDAV'         => $enableWebDAV,          
diff --git a/src/controllers/AuthController.php b/src/controllers/AuthController.php
index 5811cb8..f07c2d6 100644
--- a/src/controllers/AuthController.php
+++ b/src/controllers/AuthController.php
@@ -342,48 +342,48 @@ class AuthController
     public function checkAuth(): void
     {
 
-    // 1) Remember-me re-login
-    if (empty($_SESSION['authenticated']) && !empty($_COOKIE['remember_me_token'])) {
-        $payload = AuthModel::validateRememberToken($_COOKIE['remember_me_token']);
-        if ($payload) {
-            $old = $_SESSION['csrf_token'] ?? bin2hex(random_bytes(32));
-            session_regenerate_id(true);
-            $_SESSION['csrf_token'] = $old;
-            $_SESSION['authenticated']  = true;
-            $_SESSION['username']       = $payload['username'];
-            $_SESSION['isAdmin']        = !empty($payload['isAdmin']);
-            $_SESSION['folderOnly']     = $payload['folderOnly']    ?? false;
-            $_SESSION['readOnly']       = $payload['readOnly']      ?? false;
-            $_SESSION['disableUpload']  = $payload['disableUpload'] ?? false;
-            // regenerate CSRF if you use one
-            
+        // 1) Remember-me re-login
+        if (empty($_SESSION['authenticated']) && !empty($_COOKIE['remember_me_token'])) {
+            $payload = AuthModel::validateRememberToken($_COOKIE['remember_me_token']);
+            if ($payload) {
+                $old = $_SESSION['csrf_token'] ?? bin2hex(random_bytes(32));
+                session_regenerate_id(true);
+                $_SESSION['csrf_token'] = $old;
+                $_SESSION['authenticated']  = true;
+                $_SESSION['username']       = $payload['username'];
+                $_SESSION['isAdmin']        = !empty($payload['isAdmin']);
+                $_SESSION['folderOnly']     = $payload['folderOnly']    ?? false;
+                $_SESSION['readOnly']       = $payload['readOnly']      ?? false;
+                $_SESSION['disableUpload']  = $payload['disableUpload'] ?? false;
+                // regenerate CSRF if you use one
 
-            // TOTP enabled? (same logic as below)
-            $usersFile = USERS_DIR . USERS_FILE;
-            $totp = false;
-            if (file_exists($usersFile)) {
-                foreach (file($usersFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $line) {
-                    $parts = explode(':', trim($line));
-                    if ($parts[0] === $_SESSION['username'] && !empty($parts[3])) {
-                        $totp = true;
-                        break;
+
+                // TOTP enabled? (same logic as below)
+                $usersFile = USERS_DIR . USERS_FILE;
+                $totp = false;
+                if (file_exists($usersFile)) {
+                    foreach (file($usersFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $line) {
+                        $parts = explode(':', trim($line));
+                        if ($parts[0] === $_SESSION['username'] && !empty($parts[3])) {
+                            $totp = true;
+                            break;
+                        }
                     }
                 }
-            }
 
-            echo json_encode([
-                'authenticated' => true,
-                'csrf_token'    => $_SESSION['csrf_token'],
-                'isAdmin'       => $_SESSION['isAdmin'],
-                'totp_enabled'  => $totp,
-                'username'      => $_SESSION['username'],
-                'folderOnly'    => $_SESSION['folderOnly'],
-                'readOnly'      => $_SESSION['readOnly'],
-                'disableUpload' => $_SESSION['disableUpload']
-            ]);
-            exit();
+                echo json_encode([
+                    'authenticated' => true,
+                    'csrf_token'    => $_SESSION['csrf_token'],
+                    'isAdmin'       => $_SESSION['isAdmin'],
+                    'totp_enabled'  => $totp,
+                    'username'      => $_SESSION['username'],
+                    'folderOnly'    => $_SESSION['folderOnly'],
+                    'readOnly'      => $_SESSION['readOnly'],
+                    'disableUpload' => $_SESSION['disableUpload']
+                ]);
+                exit();
+            }
         }
-    }
 
         $usersFile = USERS_DIR . USERS_FILE;
 
@@ -453,11 +453,11 @@ class AuthController
         if (empty($_SESSION['csrf_token'])) {
             $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
         }
-    
+
         // 2) Emit headers
         header('Content-Type: application/json');
         header('X-CSRF-Token: ' . $_SESSION['csrf_token']);
-    
+
         // 3) Return JSON payload
         echo json_encode([
             'csrf_token' => $_SESSION['csrf_token'],
diff --git a/src/models/AdminModel.php b/src/models/AdminModel.php
index 682aca6..5f0b483 100644
--- a/src/models/AdminModel.php
+++ b/src/models/AdminModel.php
@@ -16,10 +16,14 @@ class AdminModel
         $unit = strtolower(substr($val, -1));
         $num  = (int) rtrim($val, 'bkmgtpezyBKMGTPESY');
         switch ($unit) {
-            case 'g': return $num * 1024 ** 3;
-            case 'm': return $num * 1024 ** 2;
-            case 'k': return $num * 1024;
-            default:  return $num;
+            case 'g':
+                return $num * 1024 ** 3;
+            case 'm':
+                return $num * 1024 ** 2;
+            case 'k':
+                return $num * 1024;
+            default:
+                return $num;
         }
     }
 
@@ -63,6 +67,24 @@ class AdminModel
             $configUpdate['sharedMaxUploadSize'] = $sms;
         }
 
+        // ── NEW: normalize authBypass & authHeaderName ─────────────────────────
+        if (!isset($configUpdate['loginOptions']['authBypass'])) {
+            $configUpdate['loginOptions']['authBypass'] = false;
+        }
+        $configUpdate['loginOptions']['authBypass'] = (bool)$configUpdate['loginOptions']['authBypass'];
+
+        if (
+            !isset($configUpdate['loginOptions']['authHeaderName'])
+            || !is_string($configUpdate['loginOptions']['authHeaderName'])
+            || trim($configUpdate['loginOptions']['authHeaderName']) === ''
+        ) {
+            $configUpdate['loginOptions']['authHeaderName'] = 'X-Remote-User';
+        } else {
+            $configUpdate['loginOptions']['authHeaderName'] =
+                trim($configUpdate['loginOptions']['authHeaderName']);
+        }
+        // ───────────────────────────────────────────────────────────────────────────
+
         // Convert configuration to JSON.
         $plainTextConfig = json_encode($configUpdate, JSON_PRETTY_PRINT);
         if ($plainTextConfig === false) {
@@ -128,6 +150,19 @@ class AdminModel
                 $config['loginOptions']['disableOIDCLogin'] = (bool)$config['loginOptions']['disableOIDCLogin'];
             }
 
+            if (!array_key_exists('authBypass', $config['loginOptions'])) {
+                $config['loginOptions']['authBypass'] = false;
+            } else {
+                $config['loginOptions']['authBypass'] = (bool)$config['loginOptions']['authBypass'];
+            }
+            if (
+                !array_key_exists('authHeaderName', $config['loginOptions'])
+                || !is_string($config['loginOptions']['authHeaderName'])
+                || trim($config['loginOptions']['authHeaderName']) === ''
+            ) {
+                $config['loginOptions']['authHeaderName'] = 'X-Remote-User';
+            }
+
             // Default values for other keys
             if (!isset($config['globalOtpauthUrl'])) {
                 $config['globalOtpauthUrl'] = "";
@@ -166,4 +201,4 @@ class AdminModel
             ];
         }
     }
-}
\ No newline at end of file
+}