feat: support auth proxy / reverse proxy authentication

[alok87]

Proxy Support for auth

Implements authentication proxy support to enable password-less login via reverse proxy headers (OAuth2 Proxy, Authelia, etc.). Fixes #1144

✅ Security: IP whitelist validation prevents header spoofing
✅ Auto-provisioning: Creates users and shared team on first login
✅ Backward compatible: Existing auth methods unchanged
✅ Production ready: Works with OAuth2 Proxy, Authelia, Nginx, Traefik

When a user accesses HyperDX through a reverse proxy (like OAuth2 Proxy):

1. User authenticates with OAuth provider (Google, GitHub, Okta, etc.)
2. Reverse proxy validates the OAuth token and adds user's email to X-Forwarded-User header
3. Auth proxy middleware intercepts the request and:
   • Validates the request comes from a whitelisted proxy IP (security check)
   • Extracts user email from the X-Forwarded-User header
   • Looks up the user in MongoDB by email
   • If user doesn't exist and auto-signup is enabled:
     • Creates a shared team called "Auth Proxy Team" (if it doesn't exist)
     • Creates the user and assigns them to this team
     • Sets up default connections and sources
   • Attaches the user to the request object
   • Establishes a Passport.js session
4. User is logged in - no password needed!

The middleware runs before the existing authentication check, so if auth proxy is enabled, it takes priority. If disabled or the header is missing, it falls back to normal password authentication.

Code and Config Changes

Configuration added

AUTH_PROXY_ENABLED=true                    # Enable auth proxy
AUTH_PROXY_HEADER_NAME=X-Forwarded-User    # Header with user email
AUTH_PROXY_AUTO_SIGN_UP=true               # Auto-create users
AUTH_PROXY_WHITELIST=172.17.0.1,10.0.0.1   # Trusted proxy IPs

New Files

• packages/api/src/middleware/authProxy.ts - Auth proxy middleware with IP whitelisting, user auto-provisioning, and session management

Modified Files

• packages/api/src/middleware/auth.ts - Enhanced isUserAuthenticated() to check auth proxy first when enabled
• packages/api/src/config.ts - Added 4 new environment variables for auth proxy configuration
• packages/api/src/utils/logger.ts - Fixed default log level bug (?? → ||)

How It Works

User → OAuth Provider → OAuth2 Proxy (adds header) → HyperDX → Logged in!

Testing

Test with header

$ curl -H "X-Forwarded-User: user@example.com" http://localhost:8000/me
{"accessKey":"2X","createdAt":"2025-10-28T12:13:56.866Z","email":"user@example.com","id":"6900b38438e3ac5d85d7d85c","name":"user@example.com","team":{"_id":"690091e6052a7002886b430d","name":"testuser@example.com's Team","allowedAuthMethods":[],"collectorAuthenticationEnforced":true,"hookId":"410ad587-3373-41c8-b685-693f7728b47e","apiKey":"219bf044-0dba-4d04-8698-ba545c65d18d","createdAt":"2025-10-28T09:50:30.101Z","updatedAt":"2025-10-28T09:50:30.101Z","__v":0,"id":"690091e6052a7002886b430d"},"usageStatsEnabled":false,"aiAssistantEnabled":true}

Verify in MongoDB

docker exec mongosh hyperdx --eval "db.users.find({email: 'user@example.com'})"

## Security Notes

⚠️ **MUST** set `AUTH_PROXY_WHITELIST` in production to prevent header spoofing  

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7e01212

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@alok87 is attempting to deploy a commit to the HyperDX Team on Vercel.

A member of the Team first needs to authorize it.

[wrn14897]

style: use createTeam

hyperdx/packages/api/src/controllers/team.ts

Line 33 in 2d06172

export async function createTeam({

[alok87]

addressed, plz check

[wrn14897]

We should use getTeam here because the app only supports a single team

[alok87]

addressed, plz check

[wrn14897]

shouldn't we set this to false by default?

[alok87]

addressed, plz check

[wrn14897]

style: can use splitAndTrimCSV (

hyperdx/packages/common-utils/src/utils.ts

Lines 29 to 34 in 2d06172

	export function splitAndTrimCSV(input: string): string[] {
	return input
	.split(',')
	.map(column => column.trim())
	.filter(column => column.length > 0);
	}

)

[alok87]

used

[wrn14897]

I wonder if we want to extract IP from headers like x-forwarded-for

[alok87]

thanks, good idea, used.

[MikeShi42]

Hi @alok87 just to mirror what I've shared over Slack: We really appreciate you raising contributions to the project. Unfortunately we won’t be able to accept the contribution upstream since it overlaps with functionality we reserve for our commercial enterprise offering.

While we aim to keep as much as possible open source, certain features that largely are relevant to enterprises (like SSO/SAML, RBAC, etc.) are kept separate to help ensure the long-term sustainability of the project.

Please don’t hesitate to reach out for future contributions if you’d like clarification on our development roadmap or the types of contributions we can accept.

[alok87]

I get the SSO business model, but there's a key distinction: my PR doesn't implement SSO/SAML at all. It just reads an X-Forwarded-User header from external auth systems like OAuth2 Proxy or Authelia (all open source). The actual SSO happens outside HyperDX. This was basic reverse proxy compatibility which any open source expects - Grafana, Kibana, and most self-hostable apps support this out of the box. Rejecting this is like calling "read an IP from X-Forwarded-For" an enterprise feature. It just makes the OSS version incompatible with standard infrastructure.