projax

m/projax

Fork 0

Commit Graph

Author	SHA1	Message	Date
mAi	840c1760c9	feat(auth): federate with mgmt.msbls.de via Supabase cookies projax was deployed publicly through Dokploy/Traefik with a Let's Encrypt cert; the earlier "Tailscale-only" claim was never true. Gate every request at the application layer using the same Supabase JWT cookie pair that mgmt.msbls.de issues, so projax inherits SSO without running its own login. Middleware (web/auth.go): - GET <SUPABASE_URL>/auth/v1/user with the access_token cookie or a Bearer header. On 2xx → pass through. - On expiry, swap the refresh_token via /auth/v1/token?grant_type= refresh_token and rotate both cookies (Domain=msbls.de, HttpOnly, Secure, SameSite=Lax, Path=/, Max-Age=1y). Cookie attributes match mgmt/auth.ts verbatim — refreshed sessions stay drop-in compatible with the rest of the .msbls.de fleet. - Anything still invalid → 302 to <PROJAX_LOGIN_URL>?redirectTo= <original-absolute-url>. mgmt's safeRedirect() rejects absolute URLs and falls back to /, so after login the user lands on mgmt; manual click back to projax then succeeds with the fresh cookie. UX is rough but functional; broadening mgmt's safeRedirect is parked for a separate PR. - /healthz remains ungated so Dokploy/Traefik probes don't hit the redirect. main.go: enable the middleware only when SUPABASE_URL is set; require SUPABASE_ANON_KEY when it is (refuse to start otherwise). New env overrides: PROJAX_LOGIN_URL (default https://mgmt.msbls.de/login), PROJAX_COOKIE_DOMAIN (default msbls.de). Local dev with no env stays fully anonymous. Tests (7 cases, no DB needed): stub Supabase via httptest covers healthz-open, anonymous-redirect, bad-cookie-redirect, good-cookie pass-through, Bearer-pass-through, stale-but-refreshable rotation (verifies cookie Domain/HttpOnly/Secure/SameSite), final fail redirect. DB-backed integration tests now honour PROJAX_SKIP_MIGRATE=1 so they don't deadlock against the live container's auto-migrate during a deploy window. README + dokploy.yaml: kill the Tailscale-only claim, document the federated-auth trust model and the new SUPABASE_* env contract.	2026-05-15 14:58:43 +02:00
mAi	092a56cf24	feat(db): pivot to dedicated projax_admin role Mirrors the mbrian_admin pattern: the binary connects as a role bounded to the projax schema, so even a compromised projax process cannot read mai.workers, otto., vault., etc. - 0001: switch grants block from postgres → projax_admin (conditional on the role existing — bootstrap still works as superuser before the role is created). Wrap `create schema` in a guard so the migration is idempotent when re-run as a non-superuser app role that lacks database-level CREATE. - 0005_reown_to_projax_admin.sql: enumerate every projax-namespaced object via pg_namespace + pg_class / pg_proc and ALTER OWNER to projax_admin. Explicitly scoped — no global REASSIGN OWNED that would yank ownership from other projects sharing the postgres role. Strips residual postgres grants. No-ops with a NOTICE when the role is missing. - README: new "Manual prerequisite" deploy section. Documents the CREATE ROLE statement, the cross-schema USAGE + SELECT grants, AND the RLS policy `projax_read ON mai.projects` that's required because mai.projects has row-level security with policies scoped to `mai` and `anon` only. Without the policy, items_unified silently returns zero mai-source rows. - deploy/dokploy.yaml: DSN comment now reflects projax_admin and points at the README prereq. Verified locally against msupabase with a throwaway projax_admin role: - 13/13 tests green - mai.workers SELECT → permission denied - mai.sessions SELECT → permission denied - mai.projects SELECT → 59 rows (RLS policy in effect) - projax.items_unified SELECT → 66 rows (7 projax + 59 mai)	2026-05-15 13:32:56 +02:00
mAi	9466759aeb	build: Dockerfile + Dokploy manifest + README - Multi-stage Dockerfile: golang:1.25-alpine builder → distroless static runtime as nonroot. Image weighs ~15 MB. Embeds templates, static assets and migrations into the single binary. - deploy/dokploy.yaml documents the Dokploy app for projax.msbls.de: Tailscale-only, healthz path, single replica, secret PROJAX_DB_URL. Translates to the Dokploy UI; not auto-applied. - README rewritten as runbook: env vars, route table, test command, deploy notes, trust model (Tailscale + no auth in v1, defer to Supabase auth if it ever outgrows the fence), schema summary. - .dockerignore strips .git, .m, .claude, docs, tests from build ctx. - .gitignore covers ad-hoc binary and dist artefacts. Verified locally: docker build succeeds, container responds to /healthz and / against msupabase via --network host.	2026-05-15 13:26:53 +02:00

Author

SHA1

Message

Date

mAi

840c1760c9

feat(auth): federate with mgmt.msbls.de via Supabase cookies

projax was deployed publicly through Dokploy/Traefik with a Let's
Encrypt cert; the earlier "Tailscale-only" claim was never true. Gate
every request at the application layer using the same Supabase JWT
cookie pair that mgmt.msbls.de issues, so projax inherits SSO without
running its own login.

Middleware (web/auth.go):
- GET <SUPABASE_URL>/auth/v1/user with the access_token cookie or a
  Bearer header. On 2xx → pass through.
- On expiry, swap the refresh_token via /auth/v1/token?grant_type=
  refresh_token and rotate both cookies (Domain=msbls.de, HttpOnly,
  Secure, SameSite=Lax, Path=/, Max-Age=1y). Cookie attributes match
  mgmt/auth.ts verbatim — refreshed sessions stay drop-in compatible
  with the rest of the .msbls.de fleet.
- Anything still invalid → 302 to <PROJAX_LOGIN_URL>?redirectTo=
  <original-absolute-url>. mgmt's safeRedirect() rejects absolute URLs
  and falls back to /, so after login the user lands on mgmt; manual
  click back to projax then succeeds with the fresh cookie. UX is
  rough but functional; broadening mgmt's safeRedirect is parked for a
  separate PR.
- /healthz remains ungated so Dokploy/Traefik probes don't hit the
  redirect.

main.go: enable the middleware only when SUPABASE_URL is set; require
SUPABASE_ANON_KEY when it is (refuse to start otherwise). New env
overrides: PROJAX_LOGIN_URL (default https://mgmt.msbls.de/login),
PROJAX_COOKIE_DOMAIN (default msbls.de). Local dev with no env stays
fully anonymous.

Tests (7 cases, no DB needed): stub Supabase via httptest covers
healthz-open, anonymous-redirect, bad-cookie-redirect, good-cookie
pass-through, Bearer-pass-through, stale-but-refreshable rotation
(verifies cookie Domain/HttpOnly/Secure/SameSite), final fail
redirect.

DB-backed integration tests now honour PROJAX_SKIP_MIGRATE=1 so they
don't deadlock against the live container's auto-migrate during a
deploy window.

README + dokploy.yaml: kill the Tailscale-only claim, document the
federated-auth trust model and the new SUPABASE_* env contract.

2026-05-15 14:58:43 +02:00

mAi

092a56cf24

feat(db): pivot to dedicated projax_admin role

Mirrors the mbrian_admin pattern: the binary connects as a role bounded
to the projax schema, so even a compromised projax process cannot read
mai.workers, otto.*, vault.*, etc.

- 0001: switch grants block from postgres → projax_admin (conditional
  on the role existing — bootstrap still works as superuser before the
  role is created). Wrap `create schema` in a guard so the migration
  is idempotent when re-run as a non-superuser app role that lacks
  database-level CREATE.
- 0005_reown_to_projax_admin.sql: enumerate every projax-namespaced
  object via pg_namespace + pg_class / pg_proc and ALTER OWNER to
  projax_admin. Explicitly scoped — no global REASSIGN OWNED that
  would yank ownership from other projects sharing the postgres role.
  Strips residual postgres grants. No-ops with a NOTICE when the role
  is missing.
- README: new "Manual prerequisite" deploy section. Documents the
  CREATE ROLE statement, the cross-schema USAGE + SELECT grants, AND
  the RLS policy `projax_read ON mai.projects` that's required because
  mai.projects has row-level security with policies scoped to `mai`
  and `anon` only. Without the policy, items_unified silently returns
  zero mai-source rows.
- deploy/dokploy.yaml: DSN comment now reflects projax_admin and
  points at the README prereq.

Verified locally against msupabase with a throwaway projax_admin role:
- 13/13 tests green
- mai.workers SELECT → permission denied
- mai.sessions SELECT → permission denied
- mai.projects SELECT → 59 rows (RLS policy in effect)
- projax.items_unified SELECT → 66 rows (7 projax + 59 mai)

2026-05-15 13:32:56 +02:00

mAi

9466759aeb

build: Dockerfile + Dokploy manifest + README

- Multi-stage Dockerfile: golang:1.25-alpine builder → distroless static
  runtime as nonroot. Image weighs ~15 MB. Embeds templates, static
  assets and migrations into the single binary.
- deploy/dokploy.yaml documents the Dokploy app for projax.msbls.de:
  Tailscale-only, healthz path, single replica, secret PROJAX_DB_URL.
  Translates to the Dokploy UI; not auto-applied.
- README rewritten as runbook: env vars, route table, test command,
  deploy notes, trust model (Tailscale + no auth in v1, defer to
  Supabase auth if it ever outgrows the fence), schema summary.
- .dockerignore strips .git, .m, .claude, docs, tests from build ctx.
- .gitignore covers ad-hoc binary and dist artefacts.

Verified locally: docker build succeeds, container responds to /healthz
and / against msupabase via --network host.

2026-05-15 13:26:53 +02:00

3 Commits