feat: gate dashboard with HTTP basic auth (drop OIDC)#12
Merged
Conversation
Replace the OIDC login with a single strong username/password from TRIAGEBOT_DASHBOARD_USER / TRIAGEBOT_DASHBOARD_PASSWORD, so the live dashboard can be exposed with minimal setup (no provider, no consent screen - the browser's native prompt is the login). - triagebot_dashboard_auth: Basic auth, constant-time compare, closed by default (503 when unset, never accidentally open); gates view + HITL - remove triagebot_oidc_config, triagebot_auth_controller, the /auth routes, and the nova_auth / nova_auth_oidc / oidcc / jose deps (drops the nova_auth fork pin and the duplicate-module workaround entirely) - tests rewritten for the basic-auth gate
🔴 Code Coverage — 20.3%47 of 231 lines covered. ✅ ELP LintNo diagnostics. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Swaps the dashboard's OIDC login for a single strong username/password from env, so the live board can be exposed with minimal setup — no provider, no consent screen, no redirect URIs. The browser's native auth prompt is the login.
What changed
triagebot_dashboard_auth— HTTP Basic auth againstTRIAGEBOT_DASHBOARD_USER/TRIAGEBOT_DASHBOARD_PASSWORD. Constant-time compare (sha256 +crypto:hash_equals). Closed by default: denies everything (503) when unset, so it's never accidentally public. Gates both the view routes and the HITL controls.triagebot_oidc_config,triagebot_auth_controller, the/auth/:provider/*routes, and thenova_auth/nova_auth_oidc/oidcc/josedeps — which also drops the nova_auth fork pin and the whole duplicate-module workaround.Verified on a running release
/healthpublic (200) ·/no creds → 401 +WWW-Authenticate: Basic· wrong creds → 401 · correct creds → 200 dashboard · run detail + live SSE stream work behind the gate · unauthenticated SSE → 401.fmt/xref/dialyzer/ctall clean.Run it
Note: this supersedes the OIDC gate shipped in v0.1.10. The upstream nova_auth fix (novaframework/nova_auth#11) is no longer needed by triagebot, but remains a valid upstream cleanup.