kindred/silo-mod
1
1
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e92c022e80b471ffcfcfbcff97930d92e94dac4e
silo-mod/internal/api/templates/settings.html
forbes e92c022e80 feat(auth): add authentication, RBAC, API tokens, and default admin 
Add a complete authentication and authorization system to Silo with
three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak),
session management, API token support, and role-based access control.

Authentication backends:
- Local: bcrypt (cost 12) password verification against users table
- LDAP: FreeIPA simple bind with group-to-role mapping
- OIDC: Keycloak redirect flow with realm role mapping
- Backends are tried in order; users upserted to DB on first login

Session and token management:
- PostgreSQL-backed sessions via alexedwards/scs + pgxstore
- Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once)
- 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies

Role-based access control (admin > editor > viewer):
- RequireAuth middleware: Bearer token -> session -> redirect/401
- RequireRole middleware: per-route-group minimum role enforcement
- CSRF protection via justinas/nosurf on web forms, API exempt
- CORS locked to configured origins when auth enabled

Route restructuring:
- Public: /health, /ready, /login, /auth/oidc, /auth/callback
- Web (auth + CSRF): /, /projects, /schemas, /settings
- API read (viewer): GET /api/**
- API write (editor): POST/PUT/PATCH/DELETE /api/**

User context wiring:
- created_by/updated_by columns on items, projects, relationships
- All create/update handlers populate tracking fields from context
- CSV and BOM import handlers pass authenticated username
- Revision creation tracks user across all code paths

Default admin account:
- Configurable via auth.local.default_admin_username/password
- Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD
- Idempotent: created on first startup, skipped if exists

CLI and FreeCAD plugin:
- silo token create/list/revoke subcommands (HTTP API client)
- FreeCAD SiloClient sends Bearer token on all requests
- Token read from ApiToken preference or SILO_API_TOKEN env var

Web UI:
- Login page (Catppuccin Mocha themed, OIDC button conditional)
- Settings page with account info and API token management
- User display name, role badge, and logout button in header
- One-time token display banner with copy-to-clipboard

Database (migration 009):
- users table with role, auth_source, oidc_subject, password_hash
- api_tokens table with SHA-256 hash, prefix, expiry, scopes
- sessions table (scs pgxstore schema)
- audit_log table (schema ready for future use)
- created_by/updated_by ALTER on items, relationships, projects

New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3,
justinas/nosurf, golang.org/x/oauth2
2026-01-31 11:20:12 -06:00

292 lines
8.9 KiB
HTML
Raw Blame History

{{define "settings_content"}}
<style>
.settings-section {
margin-bottom: 2rem;
}
.settings-info {
display: grid;
grid-template-columns: auto 1fr;
gap: 0.5rem 1.5rem;
margin-top: 1rem;
}
.settings-info dt {
color: var(--ctp-subtext0);
font-weight: 500;
}
.settings-info dd {
color: var(--ctp-text);
}
.role-badge {
display: inline-block;
padding: 0.15rem 0.5rem;
border-radius: 1rem;
font-size: 0.8rem;
font-weight: 600;
}
.role-admin {
background: rgba(203, 166, 247, 0.2);
color: var(--ctp-mauve);
}
.role-editor {
background: rgba(137, 180, 250, 0.2);
color: var(--ctp-blue);
}
.role-viewer {
background: rgba(148, 226, 213, 0.2);
color: var(--ctp-teal);
}
.token-display {
display: block;
padding: 0.75rem 1rem;
background: var(--ctp-base);
border: 1px solid var(--ctp-surface1);
border-radius: 0.5rem;
font-family: "JetBrains Mono", "Fira Code", monospace;
font-size: 0.85rem;
color: var(--ctp-peach);
word-break: break-all;
margin: 0.75rem 0;
}
.new-token-banner {
background: rgba(166, 227, 161, 0.1);
border: 1px solid rgba(166, 227, 161, 0.3);
border-radius: 0.75rem;
padding: 1.25rem;
margin-bottom: 1.5rem;
}
.new-token-banner p {
color: var(--ctp-green);
font-weight: 600;
margin-bottom: 0.5rem;
}
.new-token-banner .hint {
color: var(--ctp-subtext0);
font-size: 0.85rem;
font-weight: 400;
}
.copy-btn {
padding: 0.4rem 0.75rem;
background: var(--ctp-surface1);
border: none;
border-radius: 0.4rem;
color: var(--ctp-text);
cursor: pointer;
font-size: 0.85rem;
}
.copy-btn:hover {
background: var(--ctp-surface2);
}
.token-prefix {
font-family: "JetBrains Mono", "Fira Code", monospace;
color: var(--ctp-peach);
}
.btn-danger {
background: rgba(243, 139, 168, 0.15);
color: var(--ctp-red);
border: none;
padding: 0.4rem 0.75rem;
border-radius: 0.4rem;
cursor: pointer;
font-size: 0.85rem;
}
.btn-danger:hover {
background: rgba(243, 139, 168, 0.25);
}
.create-token-form {
display: flex;
gap: 0.75rem;
align-items: flex-end;
flex-wrap: wrap;
}
.create-token-form .form-group {
margin-bottom: 0;
flex: 1;
min-width: 200px;
}
.no-tokens {
color: var(--ctp-subtext0);
padding: 2rem;
text-align: center;
}
</style>
<div class="settings-section">
<div class="card">
<div class="card-header">
<h2 class="card-title">Account</h2>
</div>
{{if .User}}
<dl class="settings-info">
<dt>Username</dt>
<dd>{{.User.Username}}</dd>
<dt>Display Name</dt>
<dd>{{.User.DisplayName}}</dd>
<dt>Email</dt>
<dd>
{{if .User.Email}}{{.User.Email}}{{else}}<span
style="color: var(--ctp-overlay0)"
>Not set</span
>{{end}}
</dd>
<dt>Auth Source</dt>
<dd>{{.User.AuthSource}}</dd>
<dt>Role</dt>
<dd>
<span class="role-badge role-{{.User.Role}}"
>{{.User.Role}}</span
>
</dd>
</dl>
{{end}}
</div>
</div>
<div class="settings-section">
<div class="card">
<div class="card-header">
<h2 class="card-title">API Tokens</h2>
</div>
<p
style="
color: var(--ctp-subtext0);
margin-bottom: 1.25rem;
font-size: 0.9rem;
"
>
API tokens allow the FreeCAD plugin and scripts to authenticate with
Silo. Tokens inherit your role permissions.
</p>
{{if and .Data (index .Data "new_token")}} {{if ne (index .Data
"new_token") ""}}
<div class="new-token-banner">
<p>Your new API token (copy it now — it won't be shown again):</p>
<code class="token-display" id="new-token-value"
>{{index .Data "new_token"}}</code
>
<button
class="copy-btn"
onclick="
navigator.clipboard
.writeText(
document.getElementById('new-token-value')
.textContent,
)
.then(() => {
this.textContent = 'Copied!';
})
"
>
Copy to clipboard
</button>
<p class="hint">
Store this token securely. You will not be able to see it again.
</p>
</div>
{{end}} {{end}}
<form
method="POST"
action="/settings/tokens"
class="create-token-form"
style="margin-bottom: 1.5rem"
>
<input type="hidden" name="csrf_token" value="{{.CSRFToken}}" />
<div class="form-group">
<label class="form-label">Token Name</label>
<input
type="text"
name="name"
class="form-input"
placeholder="e.g., FreeCAD workstation"
required
/>
</div>
<button
type="submit"
class="btn btn-primary"
style="padding: 0.75rem 1.25rem; white-space: nowrap"
>
Create Token
</button>
</form>
<div class="table-container">
<table>
<thead>
<tr>
<th>Name</th>
<th>Prefix</th>
<th>Created</th>
<th>Last Used</th>
<th>Expires</th>
<th>Actions</th>
</tr>
</thead>
<tbody id="tokens-table"></tbody>
</table>
</div>
</div>
</div>
{{end}} {{define "settings_scripts"}}
<script>
(function () {
async function loadTokens() {
try {
const resp = await fetch("/api/auth/tokens");
if (!resp.ok) return;
const tokens = await resp.json();
const tbody = document.getElementById("tokens-table");
if (!tokens || tokens.length === 0) {
tbody.innerHTML =
'<tr><td colspan="6" class="no-tokens">No API tokens yet. Create one to get started.</td></tr>';
return;
}
tbody.innerHTML = tokens
.map(
(t) => `
<tr>
<td>${escHtml(t.name)}</td>
<td><span class="token-prefix">${escHtml(t.token_prefix)}...</span></td>
<td>${formatDate(t.created_at)}</td>
<td>${t.last_used_at ? formatDate(t.last_used_at) : '<span style="color:var(--ctp-overlay0)">Never</span>'}</td>
<td>${t.expires_at ? formatDate(t.expires_at) : '<span style="color:var(--ctp-overlay0)">Never</span>'}</td>
<td>
<form method="POST" action="/settings/tokens/${t.id}/revoke" style="display:inline">
<input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
<button type="submit" class="btn-danger" onclick="return confirm('Revoke this token?')">Revoke</button>
</form>
</td>
</tr>
`,
)
.join("");
} catch (e) {
console.error("Failed to load tokens:", e);
}
}
function formatDate(s) {
if (!s) return "";
const d = new Date(s);
return (
d.toLocaleDateString() +
" " +
d.toLocaleTimeString([], { hour: "2-digit", minute: "2-digit" })
);
}
function escHtml(s) {
const div = document.createElement("div");
div.textContent = s;
return div.innerHTML;
}
// Check for newly created token in URL or page state
const params = new URLSearchParams(window.location.search);
// The token is passed via a cookie/session flash, rendered by the server if present
loadTokens();
})();
</script>
{{end}}
Reference in New Issue View Git Blame Copy Permalink