Per-app group-based access control. Apps can now declare an allowed_groups: [...] allowlist; only users in at least one of those groups see and reach the app. Resolves #326.
Added
- New
allowed_groups: []stringfield on each app config. Empty or missing means no group gate (current behavior). When set, a non-admin user must belong to at least one matching group; matching is case-insensitive. Stacks withmin_role: both gates must pass. - Built-in user records gained an optional
groups: []stringfield, editable in Settings -> Security -> Users next to the role selector. The change persists on blur. - New Allowed groups input on the App edit form (comma-separated), so admins can wire up filtering without touching
config.yaml. - OIDC users now carry their
groups_claimvalue through the session so per-app filtering can match against it. Forward-auth users similarly carry theirRemote-Groupsheader value through. Admins still bypass the group gate the same way they bypassmin_role. - Authentication wiki gained a "Per-App Group Filtering" section explaining the rules, the source-of-truth for each auth method, and how a misconfigured IdP fails closed (invisible) rather than open.
API Key management UI plus per-provider OIDC and forward-auth setup guides covering Microsoft Entra ID, Keycloak, Authentik, Pocket ID, Zitadel, Google, Authelia, and Cloudflare Access.
Added
- Settings > Security > API Key lets admins generate, rotate, and delete the instance-wide API key from the dashboard. The plaintext is shown exactly once after generation; afterwards only the bcrypt hash lives on disk. The previous flow (write
api_key_hashtoconfig.yamlby hand or viamuximux hash) still works and the UI surfaces the result of either path. Resolves the comment from #321 about the missing UI. - Authentication wiki gained a second worked example showing how to expose a proxied app's webhook endpoint (for example a CI tool's GitHub receiver) to an external service via
auth_bypass+require_api_key: true, with notes on how the proxied app's ownX-Api-Keyheader semantics interact with Muximux's. - Step-by-step setup guides for eight identity providers, each with the IdP-side configuration, matching
config.yaml, validation steps, and a troubleshooting table: Microsoft Entra ID, Keycloak, Authentik, Pocket ID, Zitadel, Google, Authelia (forward auth or OIDC), Cloudflare Access (forward auth). Linked from the wiki sidebar, the README, and the central authentication page.