feat: configurable logout page URL for proxy/hook auth

[jake-dog]

Update 2025-05-13: I've been running this for the past few weeks and added two commits to improve it. The integration with oauth2-proxy is seamless!

Description

• add configurable logout page for use with proxy/hook auth
• allow token renewal after expiration when safe to do so with proxy auth and a custom logout page
• improve security by validating alg as recommended

Configurable logoutPage

The logout button is hidden when proxy auth is used (re: #934) because, at the time, logging out of oauth2_proxy cannot be done in filebrowser.

oauth2_proxy has since been updated to call the upstream auth provider's logout method, re: oauth2-proxy/oauth2-proxy#1876. filebrowser requires changes before this feature can be used:

1. add a configurable logoutPage URL to filebrowser settings
2. unhide the logout button when logoutPage is not set default (ie. /login)

Example:

• set a custom logoutPage for filebrowser

  ./filebrowser config set --logoutpage "/oauth2/sign_out?rd=https%3A%2F%2Ffilebrowser"
  

• run oauth2-proxy with custom logout URL (for keycloak)

  --backend-logout-url='https://keycloak/realms/myrealm/protocol/openid-connect/logout?id_token_hint={id_token}'
  

Token renewal after expiration

Users with proxy auth and a custom logout page are likely to encounter friction with filebrowser's default token renewal mechanism. The lifetime of session/renewal tokens issued by an auth proxy will conflict with filebrowser's JWT, prematurely logging out the user. To mitigate this issue the filebrowser token may be renewed after expiration if, and only if, the following conidtions are met:

1. proxy auth is used with a custom logoutpage
2. the filebrowser issued JWT is valid in every way except the expiration date

Validate token 'alg'

The golang-jwt/jwt/v4 library strongly encourages that the implementer validate the token 'alg'. From the documentation:

The caller is strongly encouraged to set the WithValidMethods option to validate the 'alg' claim in the token matches the expected algorithm.

In light of the fact that this request makes it possible to renew expired tokens under specific circumstances, it makes sense to also ensure all JWT security guidance is strictly adhered to.

🚨 Before submitting your PR, please indicate which issues are either fixed or closed by this PR. See GitHub Help: Closing issues using keywords.

• DO make sure you are requesting to pull a topic/feature/bugfix branch (right side). Don't request your master!
• DO make sure you are making a pull request against the master branch (left side). Also you should start your branch off our master.
• DO make sure that File Browser can be successfully built. See builds and development.
• AVOID breaking the continuous integration build.

[hacdias]

@jake-dog this is nice. I just updated your PR with the latest changes from main. Could you see my comment above?

Also, could you validate if it works correctly with my updates?

[jake-dog]

During testing I discovered that the idle timeout mechanism from #5439 conflicts with proxy auth's external token lifetime. As a temporary fix I've disabled the idle timeout logout mechanism when proxy auth and custom logout is used (eebfdbc), however a future improvement could be allow the idle timeout to be set to an arbitrary user configured value, or disabled entirely (set zero or negative).

Furthermore I noticed that the JWT was being accidentally validated twice per request due to #5535. The first token validation occurs in request.ParseFromRequest(), and the redundant validation occurs in (*jwt.Validator).Validate().

filebrowser/http/auth.go

Line 71 in 79980bc

token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk))

filebrowser/http/auth.go

Line 76 in 79980bc

err = jwt.NewValidator(jwt.WithExpirationRequired()).Validate(tk)

Filebrowser can regain a tiny bit of performance by omitting the redundant validation (8e5c0b1).

Breadcrumbs for how JWTv5 ParseFromRequest also validates

1. request.ParseFromRequest() calls jwt.ParseWithClaims
2. jwt.ParseWithClaims calls (*jwt.Validator).Validate()

[hacdias]

Just a few questions!