brut/bincio-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10 Commits 1 Branch 0 Tags
42bc4768825ababa81e20225482a597b59101d22
Commit Graph

10 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Davide Scaini 42bc476882 feat: OIDC Identity Provider — Phase 1 endpoints 
Add OIDC/OAuth2 endpoints to bincio-auth so it acts as a full IdP:
  GET  /.well-known/openid-configuration
  GET  /.well-known/jwks.json
  GET  /oauth2/authorize  (auth-code flow, redirects to /login/ if no session)
  POST /oauth2/token      (exchanges code for RS256 id_token; PKCE supported)
  GET  /oauth2/userinfo   (Bearer token → profile claims)

Infrastructure:
  - oauth2_clients + oauth2_codes tables in db.py with CRUD helpers
  - RS256 sign/verify helpers in tokens.py (create_id_token, get_jwks)
  - oidc_private_key_pem / oidc_issuer state + _issue_id_token in deps.py
  - serve_cmd reads BINCIO_OIDC_PRIVATE_KEY_FILE / BINCIO_OIDC_ISSUER env vars
  - `bincio-auth client add/list` commands for managing OAuth2 clients
 2026-06-03 15:11:43 +02:00
Davide Scaini c341c27ad4 docs: OIDC migration plan — bincio-auth becomes full IdP 2026-06-03 12:38:35 +02:00
Davide Scaini 29c1bfe5ba fix: add click and rich to dependencies (required by cli.py) 2026-06-02 15:16:52 +02:00
Davide Scaini 301ad44887 deploy: add post-receive hook for VPS git-push workflow 2026-06-02 15:14:18 +02:00
Davide Scaini 3dafe3840b deploy: add systemd unit + show-secret CLI command 
bincio-auth.service: runs at port 4040, reads BINCIO_AUTH_JWT_SECRET
from /etc/bincio/secrets.env (shared with bincio-activity).

show-secret: prints the JWT secret stored by 'bincio-auth init',
so the operator can add it to secrets.env without raw sqlite3.
 2026-06-02 15:09:00 +02:00
Davide Scaini 0e0e5d5622 site: add Astro frontend — login, register, reset-password, invites, home 
Step 8 of the migration plan. Minimal Astro + Tailwind site (no Svelte).
Pages:
- / (home): post-login card grid, shows Activity/Wiki/Planner cards based
  on wiki_access / activity_access from /api/me; URLs via PUBLIC_* env vars
- /login/: JWT cookie issued on success; ?next= redirect supported
- /register/: invite-code flow, auto-fills code from ?code= param
- /reset-password/: admin-issued code flow; disables form on success
- /invites/: list + generate invites; activity-access toggle for eligible users

Base layout: minimal nav with handle + sign-out, auth wall (/api/me check),
race-calendar accent palette, dark/light theme tokens.
 2026-06-02 14:45:32 +02:00
Davide Scaini ddd15cae0f auth: add FastAPI service — models, deps, server, routers, CLI 
Steps 3–7 of the migration plan:
- models.py: Pydantic request/response types
- deps.py: shared state, JWT-based auth helpers, rate limiting
- server.py: FastAPI app with CORS + gzip
- routers/auth.py: login, logout, /api/me, reset-password, register
- routers/invites.py: GET/POST /api/invites
- routers/admin.py: user listing, suspend/unsuspend, delete, access flags, reset-password-code
- cli.py: `bincio-auth init` (creates DB + admin + JWT secret) and `bincio-auth serve`

Cookie carries a signed JWT (HS256); consumers validate locally with shared secret.
 2026-06-02 14:38:56 +02:00
Davide Scaini a3a98c033d auth: add tokens.py — HS256 JWT sign/verify helpers 2026-06-02 14:29:20 +02:00
Davide Scaini 9d528043a0 auth: add db.py — SQLite data layer (users, sessions, invites, settings, prefs) 2026-06-02 14:28:59 +02:00
Davide Scaini 499e4f9dc3 init: project scaffold — pyproject.toml, package skeleton, .gitignore 2026-06-02 14:23:52 +02:00