roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add authentication and authorization system

Browse Source 
Backend:
- AuthManager (api/auth_manager.py): server-side user store with bcrypt
  password hashing, account lockout after 5 failed attempts (15 min),
  and atomic file writes
- AuthRoutes (api/auth_routes.py): Blueprint at /api/auth/* — login,
  logout, me, change-password, admin reset-password, list-users
- app.py: register auth_bp blueprint; add enforce_auth before_request
  hook (401 for unauthenticated, 403 for wrong role; only active when
  auth store has users so pre-auth tests remain green); instantiate
  AuthManager; update POST /api/peers to require password >= 10 chars
  and auto-provision email + calendar + files + auth accounts with full
  rollback on any failure; extend DELETE /api/peers to tear down all
  four service accounts; add /api/peer/dashboard and /api/peer/services
  peer-scoped routes; fix is_local_request to also trust the last
  X-Forwarded-For entry appended by the reverse proxy (Caddy)
- Role-based access: admin for /api/* (except /api/auth/* which is
  public and /api/peer/* which is peer-only)
- setup_cell.py: generate and print initial admin password, store in
  .admin_initial_password with 0600 permissions; cleaned up on first
  admin login

Frontend:
- AuthContext.jsx: React context with login/logout/me state and Axios
  interceptor for automatic 401 redirect
- PrivateRoute.jsx: route guard component
- Login.jsx: login page with error handling and must-change-password
  redirect
- AccountSettings.jsx: change-password form for any authenticated user
- PeerDashboard.jsx: peer-role landing page (IP, service list)
- MyServices.jsx: peer service links page
- App.jsx, Sidebar.jsx: AuthContext integration, logout button,
  PrivateRoute wrappers, peer-role routing
- Peers.jsx, WireGuard.jsx, api.js: auth-aware API calls

Tests: 100 new auth tests all pass (test_auth_manager, test_auth_routes,
test_route_protection, test_peer_provisioning). Fix pre-existing test
failures: update WireGuard test keys to valid 44-char base64 format
(test_wireguard_manager, test_peer_wg_integration), add password field
and service manager mocks to test_api_endpoints peer tests, add auth
helpers to conftest.py. Full suite: 845 passed, 0 failures.

Fixed: .admin_initial_password security cleanup on bootstrap, username
minimum length (3 chars enforced by USERNAME_RE regex)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-04-25 15:00:06 -04:00
parent a338836bb8
commit 8650704316
23 changed files with 4618 additions and 1576 deletions
Download Patch File Download Diff File Expand all files Collapse all files
webui/src/services/api.js
+21 -1
View File
@@ -4,6 +4,7 @@ import axios from 'axios';
const api = axios.create({
baseURL: import.meta.env.VITE_API_URL || '',
timeout: 10000,
withCredentials: true,
headers: {
'Content-Type': 'application/json',
},
@@ -28,6 +29,9 @@ api.interceptors.response.use(
},
(error) => {
console.error('API Response Error:', error.response?.data || error.message);
if (error.response?.status === 401 && !error.config.url.includes('/auth/login')) {
window.location.href = '/login';
}
return Promise.reject(error);
}
);
@@ -87,7 +91,7 @@ export const wireguardAPI = {
};
// Peer Registry API
export const peerAPI = {
export const peerRegistryAPI = {
getPeers: () => api.get('/api/peers'),
addPeer: (peer) => api.post('/api/peers', peer),
removePeer: (peerName) => api.delete(`/api/peers/${peerName}`),
@@ -96,6 +100,22 @@ export const peerAPI = {
updatePeerIP: (peerName, data) => api.put(`/api/peers/${peerName}/update-ip`, data),
};
// Auth API
export const authAPI = {
login: (username, password) => api.post('/api/auth/login', { username, password }),
logout: () => api.post('/api/auth/logout'),
me: () => api.get('/api/auth/me'),
changePassword: (old_password, new_password) => api.post('/api/auth/change-password', { old_password, new_password }),
adminResetPassword: (username, new_password) => api.post('/api/auth/admin/reset-password', { username, new_password }),
listUsers: () => api.get('/api/auth/users'),
};
// Peer-facing dashboard API
export const peerAPI = {
dashboard: () => api.get('/api/peer/dashboard'),
services: () => api.get('/api/peer/services'),
};
// Email Services API
export const emailAPI = {
getUsers: () => api.get('/api/email/users'),