Client portal auth (Phase 1): per-project link + password gate #63

Merged

serversdown merged 21 commits from feat/portal-auth into dev 2026-06-16 14:59:58 -04:00

Conversation 0 Commits 21 Files Changed 25

+2281 -283

serversdown commented 2026-06-16 14:59:42 -04:00

Owner

Copy Link

Copy Source

Summary

Gates each project's read-only client portal behind a secure per-project link + shared password (argon2). Operators manage access from a new "Portal access" panel on the project page (enable, generate password, copy link). Replaces the interim per-client magic-link.

• Per-project session isolation — a session for one project can't read another's data (HTTP and the live WebSocket feed; both covered by tests).
• Brute-force lockout (5 tries / 15 min) on the password gate.
• New projects columns (portal_enabled, portal_password_hash, portal_link_token) + idempotent migration.
• Retired the interim magic-link (/portal/enter, /portal/open, PORTAL_OPEN_LINKS, portal_admin.py mint-link).
• SECRET_KEY / COOKIE_SECURE now pass through docker-compose.yml (set via .env).

Deferred by design (see docs/superpowers/specs/2026-06-15-portal-auth-design.md): operator auth for the internal app, full multi-tenancy.

Test Plan

• pytest tests/ — 28 passing (gate, lockout, scope isolation incl. WS, operator endpoints, migration, cookie flag, retired routes)
• Migration runs clean on the target DB (migrate_add_project_portal_auth.py)
• Manual: enable a project's portal → set password → open the link → wrong password (lockout) → right password → see only that project's locations

Upgrade / rollout

• New dep argon2-cffi → rebuild the image (won't boot without it).
• Run python3 backend/migrate_add_project_portal_auth.py per DB.
• Set a real SECRET_KEY (+ COOKIE_SECURE=true once on HTTPS) before the portal is internet-facing.

🤖 Generated with Claude Code

## Summary Gates each project's read-only client portal behind a **secure per-project link + shared password** (argon2). Operators manage access from a new **"Portal access"** panel on the project page (enable, generate password, copy link). Replaces the interim per-client magic-link. - Per-project session isolation — a session for one project can't read another's data (HTTP **and** the live WebSocket feed; both covered by tests). - Brute-force lockout (5 tries / 15 min) on the password gate. - New `projects` columns (`portal_enabled`, `portal_password_hash`, `portal_link_token`) + idempotent migration. - Retired the interim magic-link (`/portal/enter`, `/portal/open`, `PORTAL_OPEN_LINKS`, `portal_admin.py mint-link`). - `SECRET_KEY` / `COOKIE_SECURE` now pass through `docker-compose.yml` (set via `.env`). **Deferred by design** (see `docs/superpowers/specs/2026-06-15-portal-auth-design.md`): operator auth for the internal app, full multi-tenancy. ## Test Plan - [x] `pytest tests/` — 28 passing (gate, lockout, scope isolation incl. WS, operator endpoints, migration, cookie flag, retired routes) - [x] Migration runs clean on the target DB (`migrate_add_project_portal_auth.py`) - [ ] Manual: enable a project's portal → set password → open the link → wrong password (lockout) → right password → see only that project's locations ## Upgrade / rollout - New dep `argon2-cffi` → **rebuild the image** (won't boot without it). - Run `python3 backend/migrate_add_project_portal_auth.py` per DB. - Set a real `SECRET_KEY` (+ `COOKIE_SECURE=true` once on HTTPS) before the portal is internet-facing. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

serversdown added 21 commits 2026-06-16 14:59:43 -04:00

docs: portal-auth design spec (Phase 1 password gate; operator-auth + multi-tenant deferred) ... 485e3f165b

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs: portal-auth Phase 1 implementation plan ... 0888da32b4

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test: stand up pytest harness + add argon2-cffi ... ec5d986ac5

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test: tidy conftest fixtures per review (drop dead try/finally, scope override cleanup, rm unused import) 33069a070d

feat: argon2 password hashing helpers for the portal d44625374d

refactor: simplify verify_password except clause; drop unused import ad6de946b5

feat: add per-project portal gate columns + migration ... b11e1a554f

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: per-project portal session mint + link-token resolve + lockout ... c04830a0ad

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor: hoist Project import to top; drop unused test import 446d8704f9

feat: per-project portal password gate (/portal/p/{token}) + lockout ... d75f405857

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: treat enabled-but-passwordless portal as inactive (no dead form / self-lockout) c74dada8b3

test: portal session is isolated to its own project (404 on others) ... c3eb900b7e

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: link project to its portal client (project.client_id) so the portal isn't empty ... b8e4718318

Caught by adversarial review of the scope test: portal_client_for_project minted a
dedicated client but never set project.client_id, so the client-scoped routes found
no projects — every location 404'd, including the client's own (empty portal). Now
links the project + adds a positive-case test.

feat: operator portal-access endpoints (enable/password/disable/state) ... 25a4a28433

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: operator Portal access panel (enable + password + link) ... eb91441904

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: error handling + robust state in Portal access panel JS (per review) 0394f4b0c8

refactor: retire interim magic-link/open-link in favor of password gate ... f0a13ea2ff

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: retire portal_admin mint-link (dead /portal/enter URL); refresh docstrings; assert revoke route gone 01180d5725

feat: env-driven Secure flag on portal session cookie ... 20f62a5c0a

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs: changelog + portal-auth Phase 1 notes da128f6173

refactor: final-review cleanup ... 766f64f35f

- delete dead magic-link helpers (resolve_token, ensure_project_client,
  mint_link_token, provision_preview_session) + now-unused datetime import
- key brute-force lockout on link_token alone (IP term only enabled a
  source-IP-rotation bypass; behind the proxy all clients share one IP)
- drop unused PORTAL_BASE_URL from the retired CLI
- add WebSocket ownership tests (unauth + cross-project both close 1008)

serversdown merged commit 98bbbcfa86 into dev 2026-06-16 14:59:58 -04:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

serversdown

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: serversdown/terra-view#63