charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

M18-8: Operator auth via Authelia #169

New issue
Closed
opened 2026-04-20 16:03:03 +00:00 by code-lead · 0 comments
code-lead commented 2026-04-20 16:03:03 +00:00
Collaborator
Copy link

As an operator, I want the new UI and all mutating endpoints fronted by the existing Authelia instance (the same auth layer Forgejo already sits behind), so that the architect (which has host filesystem access and can dispatch any agent) is protected without rolling a homegrown token scheme.

Acceptance criteria

Proxy topology

  • The web app and mutating server endpoints are served through the existing Authelia-protected reverse proxy. New vhost (e.g. claude.jacquin.app) points at 192.168.1.164:4500
  • Authelia enforces the existing "operator" access-control rule — no new identity provider, no new user accounts
  • Remote-User / Remote-Groups headers set by Authelia are trusted by the server via a configured trust_proxy CIDR list; requests from outside that list have the headers stripped

Server-side gating

  • New middleware in apps/server extracts Remote-User from the trusted proxy and attaches it to the request context as req.user
  • Every /architect/* route plus mutating /agents/*, /task, /cancel, /breakdown require req.user to match the configured operator_user
  • /health, /events, /history, /queue, /stats, /usage, /storage, /agents (GET only) remain readable on LAN without Authelia — the monitor SSE needs them and they expose no secrets
  • config/agents.json::auth block: { "operator_user": "charles", "trust_proxy": ["10.0.0.0/24"] }. Startup refuses to boot if trust_proxy is empty when any mutating route is wired

UI

  • No in-app login page — Authelia handles it upstream. Hitting /app/* unauthenticated redirects to Authelia and back
  • Web app header shows the current operator username (read from a new GET /whoami that echoes req.user)
  • A "Logout" link points at Authelia's logout URL (configurable in agents.json)

Docs

  • README "Securing the web UI" section documenting:
    • The vhost + Authelia access-control rule (sample config)
    • How to set operator_user + trust_proxy in agents.json
    • How to verify the header chain end-to-end (curl -H 'Remote-User: charles' … from trusted proxy IP succeeds; from outside 403s)

Tests

  • Unit tests: mutating routes 403 when Remote-User is missing or mismatched; accept when it matches operator_user
  • Unit test: requests with Remote-User header from an untrusted origin are ignored (treated as unauthed)
  • Integration test: read-only routes still respond without the header

Out of scope

  • Direct token auth / API key scheme — explicitly rejected; if a non-browser client needs access, file a separate story
  • Multi-operator / team accounts — still single-operator
  • Per-route fine-grained RBAC beyond operator-can-do-everything / read-only-public-on-LAN

Dependencies

  • Blocks on #M18-2 (web app bootstrap).
  • Can parallel with #M18-5, #M18-6, #M18-7.
  • Blocks #M18-9 (sunset requires auth enforced).

References

  • Spec: specs/m18-ui-rewrite-and-architect.md §Story M18-8
As an operator, I want the new UI and all mutating endpoints fronted by the existing **Authelia** instance (the same auth layer Forgejo already sits behind), so that the architect (which has host filesystem access and can dispatch any agent) is protected without rolling a homegrown token scheme. ## Acceptance criteria ### Proxy topology - [ ] The web app and mutating server endpoints are served through the existing Authelia-protected reverse proxy. New vhost (e.g. `claude.jacquin.app`) points at `192.168.1.164:4500` - [ ] Authelia enforces the existing "operator" access-control rule — no new identity provider, no new user accounts - [ ] `Remote-User` / `Remote-Groups` headers set by Authelia are trusted by the server via a configured `trust_proxy` CIDR list; requests from outside that list have the headers stripped ### Server-side gating - [ ] New middleware in `apps/server` extracts `Remote-User` from the trusted proxy and attaches it to the request context as `req.user` - [ ] Every `/architect/*` route plus mutating `/agents/*`, `/task`, `/cancel`, `/breakdown` require `req.user` to match the configured `operator_user` - [ ] `/health`, `/events`, `/history`, `/queue`, `/stats`, `/usage`, `/storage`, `/agents` (GET only) remain readable on LAN without Authelia — the monitor SSE needs them and they expose no secrets - [ ] `config/agents.json::auth` block: `{ "operator_user": "charles", "trust_proxy": ["10.0.0.0/24"] }`. Startup refuses to boot if `trust_proxy` is empty when any mutating route is wired ### UI - [ ] No in-app login page — Authelia handles it upstream. Hitting `/app/*` unauthenticated redirects to Authelia and back - [ ] Web app header shows the current operator username (read from a new `GET /whoami` that echoes `req.user`) - [ ] A "Logout" link points at Authelia's logout URL (configurable in `agents.json`) ### Docs - [ ] README "Securing the web UI" section documenting: - The vhost + Authelia access-control rule (sample config) - How to set `operator_user` + `trust_proxy` in `agents.json` - How to verify the header chain end-to-end (`curl -H 'Remote-User: charles' …` from trusted proxy IP succeeds; from outside 403s) ### Tests - [ ] Unit tests: mutating routes 403 when `Remote-User` is missing or mismatched; accept when it matches `operator_user` - [ ] Unit test: requests with `Remote-User` header from an untrusted origin are ignored (treated as unauthed) - [ ] Integration test: read-only routes still respond without the header ## Out of scope - Direct token auth / API key scheme — explicitly rejected; if a non-browser client needs access, file a separate story - Multi-operator / team accounts — still single-operator - Per-route fine-grained RBAC beyond operator-can-do-everything / read-only-public-on-LAN ## Dependencies - **Blocks on #M18-2** (web app bootstrap). - **Can parallel with #M18-5, #M18-6, #M18-7.** - **Blocks #M18-9** (sunset requires auth enforced). ## References - Spec: `specs/m18-ui-rewrite-and-architect.md` §Story M18-8
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/sync-pre-push-from-forge-base
fix/flows-yaml-dispatch-identity
feat/board-tap-to-assign
dev/1107
code-lead/1106
code-lead/1108
dev/1104
code-lead/1103
code-lead/1080
dev/1087
feat/flows-yaml-ci-events
chore/board-drop-stalled-and-density-controls
fix/flows-yaml-routes-always-register
flows-yaml/api-defaults
dev/1023
fix/event-log-history-bleed
fix/janitor-fix-ci-logs-and-cap
dev/1022
fix/board-card-provider
code-lead/1036
dev/1025
code-lead/1020
dev/1017
code-lead/1026
feat/web-shortcut-registry-1018
dev/1015
code-lead/1009
code-lead/1008
dev/975
dev/969
dev/973
dev/967
code-lead/968
code-lead/953
dev/970
dev/976
code-lead/966
code-lead/956
code-lead/951
dev/962
dev/963
dev/977
dev/955
dev/983
dev/961
dev/974
code-lead/950
code-lead/939
dev/941
dev/940
dev/937
dev/938
dev/936
dev/935
feat/web-i18n-fr-locale
feat/spec-editor-ui-polish
chore/drop-legacy-compat
fix/skills-drop-preview-pane
fix/882-skills-safety-rail
dev/911
dev/909
dev/923
dev/917
dev/915
feat/879-sr11-m2-drop-legacy-skill
code-lead/873
dev/881
code-lead/869
dev/867
code-lead/845
code-lead/843
code-lead/844
dev/837
dev/861
dev/849
code-lead/837
code-lead/842
fix/dedup-rebase-inflight
dev/838
code-lead/847
dev/833
code-lead/848
pr/838
code-lead/841
feat/settings-save-bar/836
code-lead/840
dev/846
code-lead/839
dev/832
fix/board-sse-stale-cache
dev/834
dev/835
feat/settings-breadcrumbs
feat/forge-oauth-credentials
refactor/service-config-consolidation
feat/agent-tokens-to-secrets
feat/gitlab-oauth-to-db
feat/authelia-rip-and-voice-fixes
fix/rebase-storm-and-dead-letter
code-lead/797
code-lead/796
dev/811
code-lead/798
dev/810
code-lead/795
dev/808
code-lead/794
dev/805
dev/802
dev/803
feat/avatar-menu-settings-entry
feat/per-agent-token-tracking
dev/793
dev/747
dev/752
code-lead/790
code-lead/759
dev/756
dev/760
dev/741
dev/767
dev/740
dev/709
dev/644
dev/637
boss/614
dev/600
dev/611
dev/585
fix/login-bonus-fixes
boss/544
dev/542
refactor/api-prefix-and-session-gate
dev/489
boss/531
boss/518
dev/499
boss/516
dev/530
dev/517
dev/519
dev/515
dev/522
dev/503
dev/471
boss/329
dev/417
dev/418
dev/402
boss/327
dev/334
dev/332
boss/326
boss/325
dev/331
boss/324
boss/323
boss/322
dev/294
test/s11-task-analytics
dev/262
boss/270
dev/268
foreman/ui-consolidation-spec
dev/234
boss/196
boss/176
boss/164
fix/124-session-persist-bind
boss/52
dev/87
boss/73
dev/77
dev/81
dev/82
boss/79
dev/42
dev/35
boss/7
No results found.
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dev
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks#169
No description provided.