m/projax
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
840c1760c9fd7aae180fdd941e06a6eaf888bb78
projax/deploy/dokploy.yaml
mAi 840c1760c9 feat(auth): federate with mgmt.msbls.de via Supabase cookies 
projax was deployed publicly through Dokploy/Traefik with a Let's
Encrypt cert; the earlier "Tailscale-only" claim was never true. Gate
every request at the application layer using the same Supabase JWT
cookie pair that mgmt.msbls.de issues, so projax inherits SSO without
running its own login.

Middleware (web/auth.go):
- GET <SUPABASE_URL>/auth/v1/user with the access_token cookie or a
  Bearer header. On 2xx → pass through.
- On expiry, swap the refresh_token via /auth/v1/token?grant_type=
  refresh_token and rotate both cookies (Domain=msbls.de, HttpOnly,
  Secure, SameSite=Lax, Path=/, Max-Age=1y). Cookie attributes match
  mgmt/auth.ts verbatim — refreshed sessions stay drop-in compatible
  with the rest of the .msbls.de fleet.
- Anything still invalid → 302 to <PROJAX_LOGIN_URL>?redirectTo=
  <original-absolute-url>. mgmt's safeRedirect() rejects absolute URLs
  and falls back to /, so after login the user lands on mgmt; manual
  click back to projax then succeeds with the fresh cookie. UX is
  rough but functional; broadening mgmt's safeRedirect is parked for a
  separate PR.
- /healthz remains ungated so Dokploy/Traefik probes don't hit the
  redirect.

main.go: enable the middleware only when SUPABASE_URL is set; require
SUPABASE_ANON_KEY when it is (refuse to start otherwise). New env
overrides: PROJAX_LOGIN_URL (default https://mgmt.msbls.de/login),
PROJAX_COOKIE_DOMAIN (default msbls.de). Local dev with no env stays
fully anonymous.

Tests (7 cases, no DB needed): stub Supabase via httptest covers
healthz-open, anonymous-redirect, bad-cookie-redirect, good-cookie
pass-through, Bearer-pass-through, stale-but-refreshable rotation
(verifies cookie Domain/HttpOnly/Secure/SameSite), final fail
redirect.

DB-backed integration tests now honour PROJAX_SKIP_MIGRATE=1 so they
don't deadlock against the live container's auto-migrate during a
deploy window.

README + dokploy.yaml: kill the Tailscale-only claim, document the
federated-auth trust model and the new SUPABASE_* env contract.
2026-05-15 14:58:43 +02:00

44 lines
1.2 KiB
YAML
Raw Blame History

# Dokploy app: projax
#
# Apply via Dokploy UI on mlake, or as a reference for the manual setup.
# Public over HTTPS with Let's Encrypt; auth is enforced at the application
# layer via Supabase JWT cookies federated with mgmt.msbls.de.
# Single replica, single tenant (m).
#
# Environment expected (set via Dokploy secrets, NEVER commit):
# PROJAX_DB_URL postgres://projax_admin:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable
# PROJAX_LISTEN_ADDR :8080 (default; Dokploy maps to public port)
# PROJAX_AUTO_MIGRATE on (default; set "off" to bypass embedded migrations on boot)
#
# README §"Deploy / 0. Manual prerequisite" documents the one-time CREATE ROLE
# projax_admin + cross-schema grants + RLS policy on mai.projects. The
# migrations themselves are credential-free.
name: projax
service: projax
image:
build:
context: .
dockerfile: Dockerfile
domain:
host: projax.msbls.de
port: 8080
https: true
healthcheck:
path: /healthz
interval: 30s
timeout: 3s
retries: 3
resources:
cpu: 250m
memory: 128Mi
replicas: 1
restart: unless-stopped
env:
- PROJAX_LISTEN_ADDR=:8080
- PROJAX_AUTO_MIGRATE=on
- SUPABASE_URL=https://supa.flexsiebels.de
secrets:
- PROJAX_DB_URL
- SUPABASE_ANON_KEY
Reference in New Issue View Git Blame Copy Permalink