feat(sight): add token-based dashboard authentication#1403
Conversation
7cc2611 to
78e38cf
Compare
|
Nice work shipping auth for the dashboard — the overall design (auto-generated token, loopback bypass, signed session cookies) is well-suited for a local observability tool. A few findings from a deep review, grouped by priority: Worth addressing before merge1. Token file TOCTOU race (auth.rs:131-137) 2. AuthMiddleware has no HTTP-level integration test (auth.rs:271-448) Worth noting3. Auth handler endpoints have no handler-level tests (handlers.rs:41-95) 4. 5. Defense-in-depth (default localhost deployment neutralizes these)6. Loopback bypass via 7. Token in query param + CLI stdout (auth.rs:377, dashboard.rs:62) — 8. No logout mechanism — the HttpOnly 24h cookie cannot be revoked. Only matters when bound to a non-loopback address with shared browser access. 9. 10. Overall the auth is solid for its intended deployment model. Items 1-2 are the ones I'd flag for this round; the rest are noted for awareness. |
78e38cf to
4dfade1
Compare
- Add AuthMiddleware with token/cookie verification for actix-web - Auto-generate 32-byte random token on first startup, persist to .dashboard_token - Localhost (127.0.0.1) requests bypass auth automatically - Add POST /api/auth/login, GET /api/auth/status, GET /api/auth/verify endpoints - Add LoginPage component with AuthGate in frontend SPA - URL token parameter auto-login: copy link with ?token=xxx for one-click access - Add 'agentsight dashboard' CLI command showing auth status and access URLs - Add 'agentsight serve --no-auth / --token' flags for dev override - Session cookie (HMAC-SHA256 signed, 24h TTL) for persistent login - Update agentsight.json with server.auth config section - Update AGENTS.md with new CLI command and API endpoints
4dfade1 to
8bb6f85
Compare
|
Thanks for the thorough review @jfeng18 — really helpful feedback. Here's what's been addressed: Addressed in this round1. Token file TOCTOU race (auth.rs:131-137) 2. AuthMiddleware HTTP-level integration tests 3. Auth handler endpoint tests 4. 5. Acknowledged for follow-up6–10: Noted — loopback bypass behind reverse proxy, token in query param, no logout mechanism, |
|
Round-2 follow-up — went deeper on a few areas and this time actually built and ran reproduction tests. Empirical (rustc 1.89.0, a real actix test wired exactly like 1. 2. CORS preflight 401'd by middleware ordering (medium — reproduced above). 3. Cross-origin build → login loop (low, code-trace only, not browser-executed). 4. Frontend gate fails open on probe error (low). 5. AuthGate re-probes on every navigation (low). Items 1 and 2 are the ones I'd flag for this round; 3-5 are minor / scoped. |
- Remove token and token_file fields from ServerAuthConfig (only enabled remains) - Remove --no-auth CLI flag from serve command - Add --config flag to both serve and dashboard commands (default: /etc/agentsight/config.json) - Extract shared load_server_auth_config() helper in cli/mod.rs - Both commands now read server.auth.enabled from the same agentsight.json - DashboardAuth::init always auto-generates token via read_or_create_token() - Simplify agentsight.json server.auth block to only contain enabled field - Update all tests to use auto-generated tokens with unique temp dirs
Remove /metrics from EXEMPT_PREFIXES — token consumption statistics should not be exposed to unauthenticated network clients. Prometheus scraping use case: configure bearer_token in scrape config. CLI 'agentsight metrics' reads SQLite directly, unaffected.
Add LOCALHOST_ONLY_PREFIXES for /health and /metrics — non-loopback requests receive 403 Forbidden even if auth is disabled. This prevents exposing health checks and Prometheus metrics to the network while still allowing local monitoring tools. Middleware flow: 1. Check localhost-only restriction first (403 if remote) 2. Then check auth disabled / loopback bypass / exempt paths
Add early return for OPTIONS method in AuthMiddleware.call() so that CORS preflight requests are not 401'd before reaching the Cors middleware layer. Without this, cross-origin requests from remote browsers would fail on preflight to non-exempt /api/* routes (e.g., /api/sessions). Test verifies: - GET /api/sessions from remote → 401 (auth required) - OPTIONS /api/sessions from remote → not 401 (passes to CORS)
|
Thanks for the round-2 deep dive @jfeng18 — here's what's been addressed: Addressed1. 2. CORS preflight 401'd by middleware ordering (medium)
Commit: a549c6a Acknowledged for follow-up3–5: Cross-origin login loop, AuthGate fail-open, and per-navigation re-probing — all scoped to non-default deployments or frontend UX. Noted for a follow-up PR if the team considers them urgent. Also addressed from earlier rounds:
|
Description
AgentSight Dashboard (port 7396) currently has no user authentication. When exposed on public networks, anyone can access the dashboard without credentials, posing a security risk.
This PR implements token-based API Key authentication for the dashboard:
.dashboard_token(mode 0600)/api/*requests, checking Bearer token, query param, or signed session cookieAuthGatecomponent with auto-login from URL?token=xxxparameteragentsight dashboardCLI command outputs ready-to-share URLs with embedded tokenRelated Issue
no-issue: internal requirement (Aone #83726576)
Type of Change
Scope
sight(agentsight)Key Changes
src/server/auth.rs: New auth module —DashboardAuth(token gen, cookie signing/verify),AuthMiddleware(actix-web Transform/Service), exempt path logicsrc/server/handlers.rs: AddPOST /api/auth/login,GET /api/auth/status,GET /api/auth/verifyendpointssrc/server/mod.rs: IntegrateAuthMiddlewareintoHttpServer, addauth: Arc<DashboardAuth>toAppStatesrc/config.rs: AddServerAuthConfig(enabled, token, token_file) parsed fromagentsight.jsonserver.authsectionsrc/bin/cli/dashboard.rs: Newagentsight dashboardCLI showing auth status, local/network URLs with tokensrc/bin/cli/serve.rs: Add--no-authand--tokenflags for dev overridesrc/bin/agentsight.rs+src/bin/cli/mod.rs: Registerdashboardsubcommanddashboard/src/pages/LoginPage.tsx: New token input form componentdashboard/src/App.tsx: AddAuthGatewith URL token auto-login, client-side auth state machinedashboard/src/utils/apiClient.ts: Addcredentials: 'same-origin', 401 redirect, auth API functionsagentsight.json: Addserver.authconfig sectionAGENTS.md: Document new CLI command and API endpointssrc/server/token_savings.rs: Update testAppStatewith auth fieldChecklist
cargo fmt --checkpasscargo clippy --all-targets— no new warnings from changed files (pre-existing warnings in other files)cargo testpass (52 server tests including 11 new auth tests)Cargo.lock)Testing
curl http://127.0.0.1:7396/api/sessionsreturns 200 without tokencurl http://<host-ip>:7396/api/sessionsreturns 401POST /api/auth/loginwith correct token setsagentsight_sessioncookie (24h TTL, httpOnly)http://<host-ip>:7396/?token=xxxin browser → auto-authenticates, token removed from URLagentsight dashboardshows local URL (no auth) and network URL with embedded tokenauth.rscovering token generation, cookie signing/verify, exempt paths, query parsing