Operator-Auth full implementation. #70

2026-06-18T16:35:50-04:00

serversdown commented

2026-06-18 16:35:50 -04:00

No description provided.

serversdown added 14 commits 2026-06-18 16:35:51 -04:00

docs: operator-auth design spec (v1 password login + roles + easy reset; 2FA/operator-role deferred) 59c19291ca

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs: operator-auth implementation plan (10 TDD tasks) 37e6ca55c1

feat(auth): generic HMAC signed-cookie module for operator auth 8e817ec48d

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(auth): OperatorUser model + role ladder 4abfcbc293

Add OperatorUser SQLAlchemy model (operator_users table, auto-created by
create_all) with email uniqueness, default active/must_change_password/
failed_login_count, and sessions_valid_from truncated to whole seconds.
Add backend/operator_auth.py with feature flag, cookie constants, _ROLE_RANK
map, role_at_least(), and _norm_email() helpers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(auth): operator session cookie + current_operator DB re-validation a6e1cb4f87

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(auth): authenticate + lockout + operator data helpers e8fe4845aa

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(auth): deny-by-default gate middleware + require_role 2879abb355

Adds operator_gate Starlette HTTP middleware that gates every route
except an explicit allow-list. Flag defaults OFF so all existing
behaviour and tests are unchanged. wire_operator_auth helper in
conftest lets tests monkeypatch the module-global SessionLocal and
flag, keeping the gate's own DB session pointed at the test engine.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(auth): login/logout/change-password routes + pages 41ab900c33

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(auth): superadmin user-management page + CRUD bff9a4af4a

/admin/users page and /api/admin/users/* JSON CRUD endpoints, all behind
require_role("superadmin"). Temp passwords are returned once on create/reset
and never stored in plaintext. Admins get 403; password_hash is never leaked.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(auth): operator admin/break-glass CLI 7a4453108a

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test(auth): regression guard — gate never blocks machine endpoints dc95a59dfa

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

chore(auth): wire OPERATOR_AUTH_ENABLED into compose + changelog 054eebe68b

fix(auth): hide /admin/users when flag off; pass OPTIONS preflight through gate 68161298a4

- operator_users router now depends on _require_auth_enabled, which raises
  404 when OPERATOR_AUTH_ENABLED is false — prevents world-open pre-seeding
  of a superadmin while the flag is off (the default).  Flag is read as a
  live module attribute (operator_auth.OPERATOR_AUTH_ENABLED) so monkeypatching
  in tests and a runtime flip both take effect.
- operator_gate passes OPTIONS requests through immediately before the exempt-
  path check, so CORS preflight reaches CORSMiddleware rather than being
  303/401'd by the gate.
- Two new tests: test_admin_surface_404s_when_flag_off (test_operator_users)
  and test_options_preflight_passes_through_gate (test_operator_gate).
  Full suite: 90 passed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs(deploy): add .env.example documenting SECRET_KEY / COOKIE_SECURE / OPERATOR_AUTH_ENABLED c5ffa5c8ea

serversdown merged commit fdcb1ca532 into dev

2026-06-18 16:36:01 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: serversdown/terra-view#70