projax

m/projax

Fork 0

Commit Graph

Author	SHA1	Message	Date
mAi	360060b152	feat(auth): rip federation, give projax its own /login mgmt.msbls.de is being retired; depending on it for auth was the wrong direction. Match the mBrian / flexsiebels pattern instead — same Supabase backend, but every tool runs its own login page and scopes cookies to its own host. Routes - GET /login render a sign-in form (mBrian dark visual). If the request already has a valid session, jump to a safe redirectTo (or /). - POST /login exchange email+password at /auth/v1/token?grant_type= password, set cookies, 302 → redirectTo or /. On Supabase 4xx, re-render the form with the error. - POST /logout clear both cookies (Max-Age=-1) + 302 → /login. Cookies - access_token + refresh_token only. No Domain attribute → scope is projax.msbls.de exclusively. HttpOnly, Secure, SameSite=Lax, Path=/, Max-Age=1y. Matches mBrian + flexsiebels per-host pattern. Middleware - /healthz, /login, /logout always pass through (otherwise infinite redirect on the probe / login page). - On invalid/expired session → 302 /login?redirectTo=<safe-path>, RELATIVE to projax. No more cross-host bounce. - Cookie refresh on expiry still rotates both cookies in place. - Bearer header path kept for scripted clients. safeRedirect - Path-only. Rejects "", "//", "https://", "\*", control-char injection. Cross-host or scheme bounces fall back to "/". Tested against the obvious bypasses. Cleanup - Drop PROJAX_LOGIN_URL + PROJAX_COOKIE_DOMAIN env vars (unused now). - main.go: log "auth: own-login enabled" with the supabase URL on startup; warn loudly when SUPABASE_URL is unset. - README trust-model section rewritten: own login, per-host cookies, same backend. - layout.tmpl gains a "sign out" form-button in the nav so the tree / detail / classify pages can log out without curl. Tests (14, no DB needed): stub Supabase via httptest covers healthz/login/logout exemption, anonymous→/login redirect, valid cookie + Bearer pass-through, stale-refresh rotation with NO Domain attribute, hard-fail redirect, GET form render with redirectTo carry, already-signed-in short-circuit, POST success with correct cookies, POST bad-creds error surface, redirectTo safety (path-only, no //, no absolute URLs), logout cookie clearance. Full suite (incl. DB-backed): 27/27 green with PROJAX_SKIP_MIGRATE=1.	2026-05-15 15:16:55 +02:00
mAi	840c1760c9	feat(auth): federate with mgmt.msbls.de via Supabase cookies projax was deployed publicly through Dokploy/Traefik with a Let's Encrypt cert; the earlier "Tailscale-only" claim was never true. Gate every request at the application layer using the same Supabase JWT cookie pair that mgmt.msbls.de issues, so projax inherits SSO without running its own login. Middleware (web/auth.go): - GET <SUPABASE_URL>/auth/v1/user with the access_token cookie or a Bearer header. On 2xx → pass through. - On expiry, swap the refresh_token via /auth/v1/token?grant_type= refresh_token and rotate both cookies (Domain=msbls.de, HttpOnly, Secure, SameSite=Lax, Path=/, Max-Age=1y). Cookie attributes match mgmt/auth.ts verbatim — refreshed sessions stay drop-in compatible with the rest of the .msbls.de fleet. - Anything still invalid → 302 to <PROJAX_LOGIN_URL>?redirectTo= <original-absolute-url>. mgmt's safeRedirect() rejects absolute URLs and falls back to /, so after login the user lands on mgmt; manual click back to projax then succeeds with the fresh cookie. UX is rough but functional; broadening mgmt's safeRedirect is parked for a separate PR. - /healthz remains ungated so Dokploy/Traefik probes don't hit the redirect. main.go: enable the middleware only when SUPABASE_URL is set; require SUPABASE_ANON_KEY when it is (refuse to start otherwise). New env overrides: PROJAX_LOGIN_URL (default https://mgmt.msbls.de/login), PROJAX_COOKIE_DOMAIN (default msbls.de). Local dev with no env stays fully anonymous. Tests (7 cases, no DB needed): stub Supabase via httptest covers healthz-open, anonymous-redirect, bad-cookie-redirect, good-cookie pass-through, Bearer-pass-through, stale-but-refreshable rotation (verifies cookie Domain/HttpOnly/Secure/SameSite), final fail redirect. DB-backed integration tests now honour PROJAX_SKIP_MIGRATE=1 so they don't deadlock against the live container's auto-migrate during a deploy window. README + dokploy.yaml: kill the Tailscale-only claim, document the federated-auth trust model and the new SUPABASE_* env contract.	2026-05-15 14:58:43 +02:00

Author

SHA1

Message

Date

mAi

360060b152

feat(auth): rip federation, give projax its own /login

mgmt.msbls.de is being retired; depending on it for auth was the wrong
direction. Match the mBrian / flexsiebels pattern instead — same
Supabase backend, but every tool runs its own login page and scopes
cookies to its own host.

Routes
- GET  /login   render a sign-in form (mBrian dark visual). If the
                request already has a valid session, jump to a safe
                redirectTo (or /).
- POST /login   exchange email+password at /auth/v1/token?grant_type=
                password, set cookies, 302 → redirectTo or /. On
                Supabase 4xx, re-render the form with the error.
- POST /logout  clear both cookies (Max-Age=-1) + 302 → /login.

Cookies
- access_token + refresh_token only. No Domain attribute → scope is
  projax.msbls.de exclusively. HttpOnly, Secure, SameSite=Lax, Path=/,
  Max-Age=1y. Matches mBrian + flexsiebels per-host pattern.

Middleware
- /healthz, /login, /logout always pass through (otherwise infinite
  redirect on the probe / login page).
- On invalid/expired session → 302 /login?redirectTo=<safe-path>,
  RELATIVE to projax. No more cross-host bounce.
- Cookie refresh on expiry still rotates both cookies in place.
- Bearer header path kept for scripted clients.

safeRedirect
- Path-only. Rejects "", "//*", "https://*", "\*", control-char
  injection. Cross-host or scheme bounces fall back to "/". Tested
  against the obvious bypasses.

Cleanup
- Drop PROJAX_LOGIN_URL + PROJAX_COOKIE_DOMAIN env vars (unused now).
- main.go: log "auth: own-login enabled" with the supabase URL on
  startup; warn loudly when SUPABASE_URL is unset.
- README trust-model section rewritten: own login, per-host cookies,
  same backend.
- layout.tmpl gains a "sign out" form-button in the nav so the tree /
  detail / classify pages can log out without curl.

Tests (14, no DB needed): stub Supabase via httptest covers
healthz/login/logout exemption, anonymous→/login redirect, valid
cookie + Bearer pass-through, stale-refresh rotation with NO Domain
attribute, hard-fail redirect, GET form render with redirectTo carry,
already-signed-in short-circuit, POST success with correct cookies,
POST bad-creds error surface, redirectTo safety (path-only, no //,
no absolute URLs), logout cookie clearance.

Full suite (incl. DB-backed): 27/27 green with PROJAX_SKIP_MIGRATE=1.

2026-05-15 15:16:55 +02:00

mAi

840c1760c9

feat(auth): federate with mgmt.msbls.de via Supabase cookies

projax was deployed publicly through Dokploy/Traefik with a Let's
Encrypt cert; the earlier "Tailscale-only" claim was never true. Gate
every request at the application layer using the same Supabase JWT
cookie pair that mgmt.msbls.de issues, so projax inherits SSO without
running its own login.

Middleware (web/auth.go):
- GET <SUPABASE_URL>/auth/v1/user with the access_token cookie or a
  Bearer header. On 2xx → pass through.
- On expiry, swap the refresh_token via /auth/v1/token?grant_type=
  refresh_token and rotate both cookies (Domain=msbls.de, HttpOnly,
  Secure, SameSite=Lax, Path=/, Max-Age=1y). Cookie attributes match
  mgmt/auth.ts verbatim — refreshed sessions stay drop-in compatible
  with the rest of the .msbls.de fleet.
- Anything still invalid → 302 to <PROJAX_LOGIN_URL>?redirectTo=
  <original-absolute-url>. mgmt's safeRedirect() rejects absolute URLs
  and falls back to /, so after login the user lands on mgmt; manual
  click back to projax then succeeds with the fresh cookie. UX is
  rough but functional; broadening mgmt's safeRedirect is parked for a
  separate PR.
- /healthz remains ungated so Dokploy/Traefik probes don't hit the
  redirect.

main.go: enable the middleware only when SUPABASE_URL is set; require
SUPABASE_ANON_KEY when it is (refuse to start otherwise). New env
overrides: PROJAX_LOGIN_URL (default https://mgmt.msbls.de/login),
PROJAX_COOKIE_DOMAIN (default msbls.de). Local dev with no env stays
fully anonymous.

Tests (7 cases, no DB needed): stub Supabase via httptest covers
healthz-open, anonymous-redirect, bad-cookie-redirect, good-cookie
pass-through, Bearer-pass-through, stale-but-refreshable rotation
(verifies cookie Domain/HttpOnly/Secure/SameSite), final fail
redirect.

DB-backed integration tests now honour PROJAX_SKIP_MIGRATE=1 so they
don't deadlock against the live container's auto-migrate during a
deploy window.

README + dokploy.yaml: kill the Tailscale-only claim, document the
federated-auth trust model and the new SUPABASE_* env contract.

2026-05-15 14:58:43 +02:00

2 Commits