Context Navigation

← Previous Ticket
Next Ticket →

#36862 assigned Cleanup/optimization

Clarify RemoteUserMiddleware usage and deployment requirements under ASGI

Reported by:	Natalia Bidart	Owned by:	Kundan Yadav
Component:	Documentation	Version:	6.0
Severity:	Normal	Keywords:	RemoteUserMiddleware asgi
Cc:	VIZZARD-X	Triage Stage:	Accepted
Has patch:	no	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

The current RemoteUser docs explains the trust model assuming a front-end web server that securely sets REMOTE_USER env var, but it does not clearly address ASGI deployments where Django may be the direct HTTP endpoint ( uvicorn, daphne examples). This can lead readers to assume that enabling RemoteUserMiddleware under ASGI without a reverse proxy is safe.

The docs should explicitly state that RemoteUserMiddleware assumes a trusted upstream that sets or strips the relevant header, and that running ASGI servers directly on the Internet without such a proxy will allow clients to inject identity headers. This is a documentation clarification only and does not change behavior.

Change History (10)

comment:1 by Jacob Walls, 2 months ago

Triage Stage:	Unreviewed → Accepted

follow-up: 3 comment:2 by Kundan Yadav, 2 months ago

can i work on this issue ?

in reply to: 2 comment:3 by Natalia Bidart, 2 months ago

Replying to Kundan Yadav:

can i work on this issue ?

You are welcome to work on this ticket. That said, please note that this is not a straightforward issue and requires strong familiarity with ASGI and the REMOTE_USER authentication mechanism.

Also, please avoid relying on LLMs to drive your contribution, and ensure that you have carefully read the contributing documentation we have shared. In recent submissions, we have noticed that the code and documentation style do not fully align with the guidelines outlined in the Django coding style documentation. While some checks are automated, others are not. We therefore expect contributors to manually review their work and ensure it follows the documented conventions before submitting it for review.

comment:4 by Kundan Yadav, 8 weeks ago

Owner:	set to Kundan Yadav
Status:	new → assigned

comment:5 by Kundan Yadav, 8 weeks ago

Has patch:	set

https://github.com/django/django/pull/20562

comment:6 by Jacob Walls, 5 weeks ago

Cc:	Andrew Godwin Carlton Gibson Jake Howard removed
Has patch:	unset

comment:7 by VIZZARD-X, 3 weeks ago

Hi, I’d like to take this up, since the owner of the ticket has not produced a patch yet and there have been no formal updates regarding the ticket.

comment:8 by Jacob Walls, 3 weeks ago

Vizzard, the experience from #36750 hasn't given me the confidence that you can handle multiple tickets at a time, so I'd prefer that you wait until we bring that one to completion.

comment:9 by VIZZARD-X, 2 weeks ago

Hello Jacob, since #36750 is completed, can I take this ticket up with your permission?

comment:10 by VIZZARD-X, 2 weeks ago

Cc:	VIZZARD-X added

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues