feat(web): login-gated BFF auth — sealed session cookie + server-side token injection
ci / rust (push) Has been cancelled
ci / rust (push) Has been cancelled
Single-user, LAN-reachable-but-gated. The web server is a backend-for-frontend:
- Login: POST /_auth/login {password} checks PUNKTFUNK_UI_PASSWORD (constant-time) and
sets a SEALED session cookie (h3 useSession / AES-GCM). server/middleware/auth.ts gates
every request — pages 302 → /login, /api → 401 — and FAILS CLOSED (503) when
PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
- The management API stays loopback-only + token (never LAN-exposed). The proxy
(server/routes/api/[...].ts) injects PUNKTFUNK_MGMT_TOKEN server-side and drops the
browser's cookie before forwarding — the token never reaches the browser, which only
holds the session cookie.
Nitro doesn't auto-scan a server/ dir, so the Nitro plugin gets an explicit scanDirs to
pick up middleware + routes. Client: removed the localStorage token (server injects it);
the fetcher bounces to /login on 401; new /login page (bare, no shell); Settings drops the
token field and gains a Sign-out button; en/de strings.
Validated live end to end: unauth /→302, /api→401; wrong pw→401; right pw→200+cookie;
authed /api/v1/status→200 (proxied, mgmt token injected — the host required it); logout→
session cleared→401. tsc + build green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+11
-6
@@ -1,3 +1,4 @@
|
||||
import { fileURLToPath } from 'node:url'
|
||||
import { defineConfig } from 'vite'
|
||||
import { tanstackStart } from '@tanstack/react-start/plugin/vite'
|
||||
import { nitroV2Plugin } from '@tanstack/nitro-v2-vite-plugin'
|
||||
@@ -6,6 +7,10 @@ import viteTsConfigPaths from 'vite-tsconfig-paths'
|
||||
import tailwindcss from '@tailwindcss/vite'
|
||||
import { paraglideVitePlugin } from '@inlang/paraglide-js'
|
||||
|
||||
// Absolute path to our Nitro server source (middleware + routes). Passed as a scanDir
|
||||
// because the TanStack Nitro plugin doesn't auto-scan a server/ dir.
|
||||
const serverDir = fileURLToPath(new URL('./server', import.meta.url))
|
||||
|
||||
// The management API the console drives. The browser always talks same-origin (/api/...):
|
||||
// in `vite dev` the dev server proxies it (below); in the built Bun/Nitro server a Nitro
|
||||
// route-rule proxies it (below). Override the upstream with PUNKTFUNK_MGMT_URL.
|
||||
@@ -30,15 +35,15 @@ export default defineConfig({
|
||||
// renders a data-free shell that hydrates in the browser).
|
||||
tanstackStart(),
|
||||
// Nitro v2 is the deployment target: the `bun` preset bundles a Bun-runnable server to
|
||||
// .output/ (`bun run .output/server/index.mjs`). The route-rule keeps the browser
|
||||
// same-origin by proxying /api/** to the management host, so the bearer token and
|
||||
// cookies ride along with no CORS.
|
||||
// .output/ (`bun run .output/server/index.mjs`). Auth + the /api proxy live in the
|
||||
// scanned `server/` dir (middleware/auth.ts gates every request; routes/api/[...].ts
|
||||
// proxies to the management host injecting the bearer token server-side) — NOT a static
|
||||
// routeRule, so the proxy runs behind the login gate and reads env at runtime.
|
||||
nitroV2Plugin({
|
||||
preset: 'bun',
|
||||
compatibilityDate: '2026-06-10',
|
||||
routeRules: {
|
||||
'/api/**': { proxy: `${MGMT_URL}/api/**` },
|
||||
},
|
||||
// Scan server/{middleware,routes} for the auth gate + the /api proxy.
|
||||
scanDirs: [serverDir],
|
||||
}),
|
||||
// Must come AFTER tanstackStart — provides the React JSX transform + Refresh runtime
|
||||
// that Start's dev mode requires (omitting it leaves the client JS unable to load).
|
||||
|
||||
Reference in New Issue
Block a user