unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 10 Packages Projects Releases 4 Wiki Activity
Files
5c1aa453c1f158fccea132284610b24e022b9c4e
punktfunk/web/.env.example
T
enricobuehler 9856c04b75
ci / rust (push) Has been cancelled
Details
feat(web): login-gated BFF auth — sealed session cookie + server-side token injection 
Single-user, LAN-reachable-but-gated. The web server is a backend-for-frontend:

- Login: POST /_auth/login {password} checks PUNKTFUNK_UI_PASSWORD (constant-time) and
  sets a SEALED session cookie (h3 useSession / AES-GCM). server/middleware/auth.ts gates
  every request — pages 302 → /login, /api → 401 — and FAILS CLOSED (503) when
  PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
- The management API stays loopback-only + token (never LAN-exposed). The proxy
  (server/routes/api/[...].ts) injects PUNKTFUNK_MGMT_TOKEN server-side and drops the
  browser's cookie before forwarding — the token never reaches the browser, which only
  holds the session cookie.

Nitro doesn't auto-scan a server/ dir, so the Nitro plugin gets an explicit scanDirs to
pick up middleware + routes. Client: removed the localStorage token (server injects it);
the fetcher bounces to /login on 401; new /login page (bare, no shell); Settings drops the
token field and gains a Sign-out button; en/de strings.

Validated live end to end: unauth /→302, /api→401; wrong pw→401; right pw→200+cookie;
authed /api/v1/status→200 (proxied, mgmt token injected — the host required it); logout→
session cleared→401. tsc + build green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 18:43:14 +00:00

24 lines
1.0 KiB
Bash
Raw Blame History

# punktfunk web — management console (Bun/Nitro server) configuration.
# Copy to `.env` (gitignored) or set these in the environment of `bun run start`.
# REQUIRED in production: the shared login password for the console. The built Nitro
# server fails CLOSED (503 on every request) if this is unset, so a LAN-exposed server
# never admits anyone by accident.
PUNKTFUNK_UI_PASSWORD=change-me
# Management API the console proxies to. Keep it loopback — it should NOT be LAN-exposed;
# the login-gated web server is the only path to it.
PUNKTFUNK_MGMT_URL=http://127.0.0.1:47990
# Bearer token for the management API, injected server-side by the /api proxy (never sent
# to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN.
PUNKTFUNK_MGMT_TOKEN=
# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
# from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
# PUNKTFUNK_UI_SECRET=
# The Bun server binds these (standard Nitro env):
# PORT=3000
# HOST=0.0.0.0
Reference in New Issue View Git Blame Copy Permalink