From f78099499617f556ebb1f0bb79bcca000d284b6e Mon Sep 17 00:00:00 2001
From: dakriy <git@persignum.com>
Date: Wed, 16 Jul 2025 11:32:34 -0700
Subject: [PATCH] feat(legacy): add config option for group separator in header
 auth (#3181)

### Description

Not all forward auth solutions use a comma for group seperator.

**This is a new feature**:

Yes

**I have updated the documentation to reflect these changes**:

Yes

### **Links**

[Authentik uses `|` so may as well make the group separator
configurable](https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/)
---
 docs/admin-manual/custom-authentication.md      | 1 +
 legacy/application/auth/adapters/HeaderAuth.php | 4 +++-
 legacy/application/configs/conf.php             | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/admin-manual/custom-authentication.md b/docs/admin-manual/custom-authentication.md
index d6cd89262..ac5c583f7 100644
--- a/docs/admin-manual/custom-authentication.md
+++ b/docs/admin-manual/custom-authentication.md
@@ -149,6 +149,7 @@ header_auth:
   groups_header: Remote-Groups # This is the default and could be omitted
   email_header: Remote-Email # This is the default and could be omitted
   name_header: Remote-Name # This is the default and could be omitted
+  group_separator: "," # This is the default and could be omitted
   proxy_ip: 10.0.0.34
   group_map:
     host: lt-host
diff --git a/legacy/application/auth/adapters/HeaderAuth.php b/legacy/application/auth/adapters/HeaderAuth.php
index 7bf2a0b5b..2268a826a 100644
--- a/legacy/application/auth/adapters/HeaderAuth.php
+++ b/legacy/application/auth/adapters/HeaderAuth.php
@@ -54,7 +54,9 @@ class LibreTime_Auth_Adaptor_Header implements Zend_Auth_Adapter_Interface
             return UTYPE_GUEST;
         }
 
-        $groups = array_map(fn ($group) => trim($group), explode(',', $groups));
+        $separator = Config::get('header_auth.group_separator');
+
+        $groups = array_map(fn ($group) => trim($group), explode($separator, $groups));
 
         $superAdminGroup = Config::get('header_auth.group_map.superadmin');
         if (in_array($superAdminGroup, $groups)) {
diff --git a/legacy/application/configs/conf.php b/legacy/application/configs/conf.php
index e429ad609..6e7bd5bab 100644
--- a/legacy/application/configs/conf.php
+++ b/legacy/application/configs/conf.php
@@ -105,6 +105,7 @@ class Schema implements ConfigurationInterface
             /**/->scalarNode('groups_header')->defaultValue('Remote-Groups')->end()
             /**/->scalarNode('email_header')->defaultValue('Remote-Email')->end()
             /**/->scalarNode('name_header')->defaultValue('Remote-Name')->end()
+            /**/->scalarNode('group_separator')->defaultValue(',')->end()
             /**/->scalarNode('proxy_ip')->end()
             /**/->scalarNode('locale')->defaultValue('en-US')->end()
             /**/->arrayNode('group_map')->children()