lhumina_code/hero_proxy
0
0
Fork 0
Code Issues 8 Pull requests Projects Releases 4 Packages Wiki Activity Actions

[hero_proxy] Auto-inject users.<username> claim for all authenticated users #36

New issue
Open
opened 2026-04-29 07:10:26 +00:00 by mahmoud · 0 comments
mahmoud commented 2026-04-29 07:10:26 +00:00
Owner
Copy link

Problem

There is no automatic claim injected for authenticated users. We need
a default claim users.<username> to be automatically set by the proxy
for every logged-in user, so that applications can restrict users to
only managing their own data without needing custom logic.

Example

User mahmoud logs in → proxy automatically injects claim users.mahmoud
as an HTTP header to all backend requests.
Backend can then check: if claim starts with users. → user can only
edit resources matching that username.

Requirements

  • On every authenticated request, proxy injects users.<username> claim
  • This happens automatically without admin needing to configure it per role
  • Claim is injected as an HTTP header alongside any other role-based claims
  • Document the header name and format in hero_proxy skills/docs

Acceptance Criteria

  • users.<username> claim injected automatically on every authenticated request
  • Backends can read the header and enforce user-scoped access
  • Documented in hero_proxy skills or README
  • Does not conflict with manually configured role claims
## Problem There is no automatic claim injected for authenticated users. We need a default claim `users.<username>` to be automatically set by the proxy for every logged-in user, so that applications can restrict users to only managing their own data without needing custom logic. ## Example User `mahmoud` logs in → proxy automatically injects claim `users.mahmoud` as an HTTP header to all backend requests. Backend can then check: if claim starts with `users.` → user can only edit resources matching that username. ## Requirements - On every authenticated request, proxy injects `users.<username>` claim - This happens automatically without admin needing to configure it per role - Claim is injected as an HTTP header alongside any other role-based claims - Document the header name and format in hero_proxy skills/docs ## Acceptance Criteria - [ ] `users.<username>` claim injected automatically on every authenticated request - [ ] Backends can read the header and enforce user-scoped access - [ ] Documented in hero_proxy skills or README - [ ] Does not conflict with manually configured role claims
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
latest
v0.5.0-rc1
v0.5.0
v0.1.1
v0.1.0
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_proxy#36
No description provided.