Allow pre-auth through REMOTE_USER header

Pre-auth looks at the REMOTE_USER header and if it is set, Scriptform
performs no validation of the password and just assumes the username is
correct. This allows pre-authentication from a front-end such as Apache
for HTAUTH, LDAP, OpenID / SSO, etc.

README.md

@@ -218,15 +218,16 @@ them in the local directory.
 
 To run ScriptForm in the foreground, specify the `-f` option. 
 
-If you're going to use basic authentication, you can generate a password for
+If you're going to use built-in basic authentication, you can generate a
-your user with the `--generate-pw` option:
+password for your user with the `--generate-pw` option:
 
     $ scriptform --generate-pw
     Password: 
     Repeat password: 
     2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
 
-You can paste the generated password into the password field. For more
+You can paste the generated password into the password field. You can also use
+an Apache (or other webserver) frontend for authentication. For more
 information, see the User Manual.
 
 ## Documentation

doc/MANUAL.md

@@ -51,6 +51,7 @@ This is the manual for version %%VERSION%%.
     - [Passwords](#users_passwords)
     - [Form limiting](#users_formlimit)
     - [Security considerations](#users_security)
+    - [Pre-authentication with Apache](#users_preauth)
 1. [Form customization](#cust)
     - [Custom CSS](#cust_css)
 1. [Security](#security)
@@ -1221,7 +1222,31 @@ For an example, see the [beginning of this chapter](#users).
   *does* support HTTPS, such as Apache. For more information on that, see the
   "Invocations" chapter.
 
+### <a name="users_preauth">Pre-authentication with Apache</a>
 
+If you're running behind Apache or another webserver, you can use
+features in Apache to do the authentication for you. This allows you to use
+LDAP or OpenID (SSO) authentication.
+
+You must pass the `REMOTE_USER` header (not environment variable!) to
+Scriptform to get this working. For example, in Apache:
+
+    RequestHeader set REMOTE_USER %{REMOTE_USER}s
+
+    Redirect permanent /scriptform /scriptform/
+    ProxyPass /scriptform/ http://localhost:8081/
+    ProxyPassReverse /scriptform/ http://localhost:8081/
+
+    <Location /scriptform>
+        AuthType Basic
+        AuthName "Restricted Files"
+        AuthBasicProvider file
+        AuthUserFile "/var/www/users"
+        Require valid-user
+    </Location>
+
+If such a header is seen, Scriptform won't perform validation of the password
+and just assumes the username is correct.
 
 
 ## <a name="cust">Form customization</a>

src/webapp.py

@@ -181,13 +181,19 @@ class ScriptFormWebApp(RequestHandler):
     def auth(self):
         """
         Verify that the user is authenticated. This is required if the form
-        definition contains a 'users' field. Returns the username if the user
+        definition contains a 'users' field (unless pre-auth from a front-end
-        is validated or None if no validation is required.. Otherwise, raises a
+        such as Apache is used). Returns the username if the user is validated
-        401 HTTP back to the client.
+        or None if no validation is required. Otherwise, raises a 401 HTTP
+        back to the client.
         """
         form_config = self.scriptform.get_form_config()
         username = None
 
+        # Allow pre-auth from e.g. Apache htauth
+        if 'REMOTE_USER' in self.headers:
+            username = self.headers.get('REMOTE_USER')
+            return self.headers.get('REMOTE_USER')
+
         # If a 'users' element was present in the form configuration file, the
         # user must be authenticated.
         if form_config.users: