feat(web): login-gated BFF auth — sealed session cookie + server-side token injection
ci / rust (push) Has been cancelled
ci / rust (push) Has been cancelled
Single-user, LAN-reachable-but-gated. The web server is a backend-for-frontend:
- Login: POST /_auth/login {password} checks PUNKTFUNK_UI_PASSWORD (constant-time) and
sets a SEALED session cookie (h3 useSession / AES-GCM). server/middleware/auth.ts gates
every request — pages 302 → /login, /api → 401 — and FAILS CLOSED (503) when
PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
- The management API stays loopback-only + token (never LAN-exposed). The proxy
(server/routes/api/[...].ts) injects PUNKTFUNK_MGMT_TOKEN server-side and drops the
browser's cookie before forwarding — the token never reaches the browser, which only
holds the session cookie.
Nitro doesn't auto-scan a server/ dir, so the Nitro plugin gets an explicit scanDirs to
pick up middleware + routes. Client: removed the localStorage token (server injects it);
the fetcher bounces to /login on 401; new /login page (bare, no shell); Settings drops the
token field and gains a Sign-out button; en/de strings.
Validated live end to end: unauth /→302, /api→401; wrong pw→401; right pw→200+cookie;
authed /api/v1/status→200 (proxied, mgmt token injected — the host required it); logout→
session cleared→401. tsc + build green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,62 @@
|
||||
// Shared auth helpers for the Nitro server (the deployed Bun server). Single-user,
|
||||
// shared-password gate: the user logs in with PUNKTFUNK_UI_PASSWORD, which sets a SEALED
|
||||
// (h3 useSession — AES-GCM) cookie; every request is gated by server/middleware/auth.ts.
|
||||
//
|
||||
// The management token never reaches the browser: server/routes/api/[...].ts injects it
|
||||
// server-side when proxying to the loopback management API.
|
||||
import { createHash, timingSafeEqual as nodeTimingSafeEqual } from 'node:crypto'
|
||||
import type { SessionConfig } from 'h3'
|
||||
|
||||
export const SESSION_NAME = 'pf_session'
|
||||
|
||||
/** The login password. Empty string ⇒ auth is MISCONFIGURED (the gate fails closed). */
|
||||
export function uiPassword(): string {
|
||||
return process.env.PUNKTFUNK_UI_PASSWORD ?? ''
|
||||
}
|
||||
|
||||
/** The management API the proxy forwards to (loopback by default — never LAN-exposed). */
|
||||
export function mgmtUrl(): string {
|
||||
return process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990'
|
||||
}
|
||||
|
||||
/** Bearer token for the management API, injected server-side. */
|
||||
export function mgmtToken(): string {
|
||||
return process.env.PUNKTFUNK_MGMT_TOKEN ?? ''
|
||||
}
|
||||
|
||||
/**
|
||||
* The cookie-sealing key for h3 `useSession` (must be ≥ 32 chars). Use PUNKTFUNK_UI_SECRET
|
||||
* if set; otherwise derive a stable 64-hex key from the password so single-var config works
|
||||
* (changing the password then invalidates existing sessions, which is fine).
|
||||
*/
|
||||
export function sessionConfig(): SessionConfig {
|
||||
const secret = process.env.PUNKTFUNK_UI_SECRET
|
||||
const password = secret && secret.length >= 32
|
||||
? secret
|
||||
: createHash('sha256').update(`punktfunk-session-v1:${uiPassword()}`).digest('hex')
|
||||
return { name: SESSION_NAME, password }
|
||||
}
|
||||
|
||||
/** Constant-time string comparison (avoids leaking the password via timing). */
|
||||
export function timingSafeEqual(a: string, b: string): boolean {
|
||||
const ab = Buffer.from(a)
|
||||
const bb = Buffer.from(b)
|
||||
if (ab.length !== bb.length) return false
|
||||
return nodeTimingSafeEqual(ab, bb)
|
||||
}
|
||||
|
||||
/** Paths reachable WITHOUT a session: the login page, the auth endpoints, and static
|
||||
* assets (the login page needs its own CSS/JS). Everything else is gated. */
|
||||
export function isPublicPath(pathname: string): boolean {
|
||||
if (pathname === '/login') return true
|
||||
if (pathname.startsWith('/_auth/')) return true
|
||||
if (pathname.startsWith('/assets/')) return true
|
||||
if (pathname === '/favicon.ico' || pathname === '/robots.txt') return true
|
||||
// Vite/TanStack client chunks and source maps requested by the login page.
|
||||
if (/\.(js|css|map|ico|svg|png|woff2?|json)$/.test(pathname)) return true
|
||||
return false
|
||||
}
|
||||
|
||||
export interface SessionData {
|
||||
authenticated?: boolean
|
||||
}
|
||||
Reference in New Issue
Block a user