From 62b8be1a10ecfbd0517ab46eaf511e4ac0b4c726 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sat, 13 Jan 2024 20:14:21 -0800
Subject: [PATCH] Fix unsafe requests with remote user auth

---
 src/paperless/auth.py     | 8 ++++++++
 src/paperless/settings.py | 5 +++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index a23b01cb4..98e2a8b30 100644
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -47,3 +47,11 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
     """
 
     header = settings.HTTP_REMOTE_USER_HEADER_NAME
+
+
+class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
+    """
+    REMOTE_USER authentication for DRF which overrides the default header.
+    """
+
+    header = settings.HTTP_REMOTE_USER_HEADER_NAME
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index bc815d4d5..1bf4d1491 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -429,8 +429,9 @@ HTTP_REMOTE_USER_HEADER_NAME = os.getenv(
 if ENABLE_HTTP_REMOTE_USER:
     MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware")
     AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend")
-    REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
-        "rest_framework.authentication.RemoteUserAuthentication",
+    REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].insert(
+        0,
+        "paperless.auth.PaperlessRemoteUserAuthentication",
     )
 
 # X-Frame options for embedded PDF display: