feat(web): login-gated BFF auth — sealed session cookie + server-side token injection
ci / rust (push) Has been cancelled
ci / rust (push) Has been cancelled
Single-user, LAN-reachable-but-gated. The web server is a backend-for-frontend:
- Login: POST /_auth/login {password} checks PUNKTFUNK_UI_PASSWORD (constant-time) and
sets a SEALED session cookie (h3 useSession / AES-GCM). server/middleware/auth.ts gates
every request — pages 302 → /login, /api → 401 — and FAILS CLOSED (503) when
PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
- The management API stays loopback-only + token (never LAN-exposed). The proxy
(server/routes/api/[...].ts) injects PUNKTFUNK_MGMT_TOKEN server-side and drops the
browser's cookie before forwarding — the token never reaches the browser, which only
holds the session cookie.
Nitro doesn't auto-scan a server/ dir, so the Nitro plugin gets an explicit scanDirs to
pick up middleware + routes. Client: removed the localStorage token (server injects it);
the fetcher bounces to /login on 401; new /login page (bare, no shell); Settings drops the
token field and gains a Sign-out button; en/de strings.
Validated live end to end: unauth /→302, /api→401; wrong pw→401; right pw→200+cookie;
authed /api/v1/status→200 (proxied, mgmt token injected — the host required it); logout→
session cleared→401. tsc + build green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,27 @@
|
||||
// The single server-side gate. Runs for EVERY request to the deployed Bun/Nitro server
|
||||
// (pages, the /api proxy, everything) before routing. Unauthenticated requests are
|
||||
// redirected to /login (page navigations) or rejected 401 (/api). Fails CLOSED if
|
||||
// PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
|
||||
import { defineEventHandler, getRequestURL, sendRedirect, setResponseStatus, useSession } from 'h3'
|
||||
import { isPublicPath, sessionConfig, uiPassword, type SessionData } from '../util/auth'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const { pathname } = getRequestURL(event)
|
||||
if (isPublicPath(pathname)) return
|
||||
|
||||
// Misconfigured: refuse everything rather than serve open on the LAN.
|
||||
if (!uiPassword()) {
|
||||
setResponseStatus(event, 503)
|
||||
return { error: 'auth not configured: set PUNKTFUNK_UI_PASSWORD' }
|
||||
}
|
||||
|
||||
const session = await useSession<SessionData>(event, sessionConfig())
|
||||
if (session.data.authenticated) return // authenticated — let it through
|
||||
|
||||
if (pathname.startsWith('/api')) {
|
||||
setResponseStatus(event, 401)
|
||||
return { error: 'unauthorized' }
|
||||
}
|
||||
// Page navigation → bounce to the login screen, remembering where they were headed.
|
||||
return sendRedirect(event, `/login?next=${encodeURIComponent(pathname)}`, 302)
|
||||
})
|
||||
Reference in New Issue
Block a user