bincio-auth

brut/bincio-auth

Fork 0

Commit Graph

Author	SHA1	Message	Date
Davide Scaini	1b4f0318e7	feat: self-service password reset via email (Phase 4) - email column on users (migration-safe ALTER TABLE) - email_reset_tokens table (1h TTL, single-use) - smtp.py: send via STARTTLS, config from CLI/env vars - POST /api/auth/request-reset — sends reset link, always 200 (no email leak) - POST /api/auth/reset-password-token — consumes email token - GET/POST /api/me/email — users can register/update their email - reset-password page: email form primary, admin code form as toggle, token form shown automatically when ?token= is in URL - CLI: --smtp-host/port/user/password/from (BINCIO_SMTP_* env vars)	2026-06-03 16:03:08 +02:00
Davide Scaini	c1c1e7ae4e	auth: issue RS256 session cookies when OIDC key is configured Login endpoint switches from HS256 JWT to RS256 id_token (aud="bincio", 30-day TTL) when oidc_private_key_pem is set. Existing HS256 sessions remain valid on bincio-activity until they naturally expire.	2026-06-03 15:47:06 +02:00
Davide Scaini	ddd15cae0f	auth: add FastAPI service — models, deps, server, routers, CLI Steps 3–7 of the migration plan: - models.py: Pydantic request/response types - deps.py: shared state, JWT-based auth helpers, rate limiting - server.py: FastAPI app with CORS + gzip - routers/auth.py: login, logout, /api/me, reset-password, register - routers/invites.py: GET/POST /api/invites - routers/admin.py: user listing, suspend/unsuspend, delete, access flags, reset-password-code - cli.py: `bincio-auth init` (creates DB + admin + JWT secret) and `bincio-auth serve` Cookie carries a signed JWT (HS256); consumers validate locally with shared secret.	2026-06-02 14:38:56 +02:00

Author

SHA1

Message

Date

Davide Scaini

1b4f0318e7

feat: self-service password reset via email (Phase 4)

- email column on users (migration-safe ALTER TABLE)
- email_reset_tokens table (1h TTL, single-use)
- smtp.py: send via STARTTLS, config from CLI/env vars
- POST /api/auth/request-reset — sends reset link, always 200 (no email leak)
- POST /api/auth/reset-password-token — consumes email token
- GET/POST /api/me/email — users can register/update their email
- reset-password page: email form primary, admin code form as toggle,
  token form shown automatically when ?token= is in URL
- CLI: --smtp-host/port/user/password/from (BINCIO_SMTP_* env vars)

2026-06-03 16:03:08 +02:00

Davide Scaini

c1c1e7ae4e

auth: issue RS256 session cookies when OIDC key is configured

Login endpoint switches from HS256 JWT to RS256 id_token (aud="bincio",
30-day TTL) when oidc_private_key_pem is set. Existing HS256 sessions
remain valid on bincio-activity until they naturally expire.

2026-06-03 15:47:06 +02:00

Davide Scaini

ddd15cae0f

auth: add FastAPI service — models, deps, server, routers, CLI

Steps 3–7 of the migration plan:
- models.py: Pydantic request/response types
- deps.py: shared state, JWT-based auth helpers, rate limiting
- server.py: FastAPI app with CORS + gzip
- routers/auth.py: login, logout, /api/me, reset-password, register
- routers/invites.py: GET/POST /api/invites
- routers/admin.py: user listing, suspend/unsuspend, delete, access flags, reset-password-code
- cli.py: `bincio-auth init` (creates DB + admin + JWT secret) and `bincio-auth serve`

Cookie carries a signed JWT (HS256); consumers validate locally with shared secret.

2026-06-02 14:38:56 +02:00

3 Commits