Authentication

Protect pages with login requirements and group-based access control.

Authentication

Pages can require authentication via the auth: front matter key. The processor reads X-Remote-* HTTP headers set by an auth wrapper or external proxy, enforces access control, and makes auth context available as TT variables.

Protecting a page

---
title: Members Area
auth: required
---

Values: required (must be logged in), optional (read headers if present), none (no check, the default).

Group-based access

---
title: Admin Dashboard
auth: required
auth_groups:
  - admins
  - editors
---

User must be in at least one listed group. Wrong group returns 403.

Site-wide default

Set in lazysite/lazysite.conf:

auth_default: required

Pages without auth: inherit this value. The login page is always accessible regardless of the site-wide default.

TT variables

Available in page content and the view template:

[% authenticated %] - 1 if logged in, 0 otherwise
[% auth_user %] - username
[% auth_name %] - display name
[% auth_email %] - email address
[% auth_groups %] - array of group names

Custom 403 page

Create 403.md with these context variables:

[% auth_denied_reason %] - insufficient_groups for group denial
[% auth_required_groups %] - array of required groups
[% auth_user %] - authenticated username

Notes

Protected pages are never cached to disk
Protected responses include Cache-Control: no-store, private
The login page (auth_redirect path) is always public
Works with built-in lazysite-auth.pl or any external proxy (Authentik, Authelia, etc.) that sets the same headers
Authentication guide - full setup and configuration
Upgrading to external auth - migration guide

Per-user access mechanisms (SM070)

Each user has independent access-mechanism settings — ui (browser login, default on), webdav (WebDAV publishing, default off), and an optional dav_scope. Disabling ui blocks the browser login (no cookie is issued), so the account cannot reach the manager or auth-protected pages — useful for publish-only deploy identities. See WebDAV publishing for managing these and generating strong credentials.