From 121eb45b44a7c588f23f72e21535e94e0f90346a Mon Sep 17 00:00:00 2001
From: Matt <matt@echo6.co>
Date: Mon, 27 Apr 2026 01:26:44 +0000
Subject: [PATCH] feat: add /api/auth/whoami endpoint for frontend auth state

Returns {authenticated: bool, username: string|null} based on
X-Authentik-Username header presence. Used by Navi frontend to
detect auth state without triggering SSO redirect.
---
 lib/api.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lib/api.py b/lib/api.py
index 732b5de..8a1f383 100644
--- a/lib/api.py
+++ b/lib/api.py
@@ -2704,3 +2704,21 @@ def api_metrics_history():
         return jsonify({'type': metric_type, 'hours': hours, 'points': points})
     except Exception as e:
         return jsonify({'type': metric_type, 'hours': hours, 'points': [], 'error': str(e)})
+
+
+# ── Auth state endpoint ─────────────────────────────────────────────────────
+# Returns current auth state for frontend consumption.
+# This endpoint must be behind Caddy forward_auth to receive X-Authentik-* headers.
+@app.route('/api/auth/whoami')
+def api_auth_whoami():
+    """Return auth state for frontend. Behind forward_auth, so headers are present when authenticated."""
+    username = request.headers.get('X-Authentik-Username')
+    if username:
+        return jsonify({
+            'authenticated': True,
+            'username': username,
+        })
+    return jsonify({
+        'authenticated': False,
+        'username': None,
+    })