auth providers

auth.md

@@ -33,6 +33,28 @@ PYTORRENT_AUTH_PROXY_AUTO_CREATE_ROLE=admin
 PYTORRENT_AUTH_PROXY_AUTO_CREATE_PERMISSION=rw
 ```
 
+
+## Reverse proxy origin checks
+
+pyTorrent blocks unsafe API requests when the browser `Origin`/`Referer` does not match the application origin. Behind HTTPS reverse proxy this requires either correct forwarded headers or an explicit API origin allowlist.
+
+Recommended variables for reverse proxy mode:
+
+```env
+PYTORRENT_PROXY_FIX_ENABLE=true
+PYTORRENT_SESSION_COOKIE_SECURE=true
+PYTORRENT_SOCKETIO_CORS_ALLOWED_ORIGINS=https://pytorrent.example.com
+PYTORRENT_API_ALLOWED_ORIGINS=https://pytorrent.example.com
+```
+
+`PYTORRENT_API_ALLOWED_ORIGINS` accepts a comma-separated list, for example:
+
+```env
+PYTORRENT_API_ALLOWED_ORIGINS=https://pytorrent.example.com
+```
+
+If `PYTORRENT_API_ALLOWED_ORIGINS` is not set, pyTorrent reuses `PYTORRENT_SOCKETIO_CORS_ALLOWED_ORIGINS` for API origin checks.
+
 ## Local authentication
 
 Use this when pyTorrent should manage its own login screen and passwords.
@@ -80,14 +102,14 @@ location / {
 }
 
 location /tinyauth {
-  proxy_pass http://10.87.7.99:3000/api/auth/nginx;
+  proxy_pass http://10.10.11.11:3000/api/auth/nginx;
   proxy_set_header x-forwarded-proto $scheme;
   proxy_set_header x-forwarded-host $http_host;
   proxy_set_header x-forwarded-uri $request_uri;
 }
 
 location @tinyauth_login {
-  return 302 http://auth.linuxiarz.pl/login?redirect_uri=$scheme://$http_host$request_uri;
+  return 302 http://auth.domian/login?redirect_uri=$scheme://$http_host$request_uri;
 }
 ```