2cdbf270f6
Control plane: - Users and app grants stored in SQLite (users + user_apps tables) - bcrypt password hashing - Sessions: HashMap<token, user_id> (in-memory, cleared on restart) - Bootstrap: first admin auto-created from HIY_ADMIN_USER/HIY_ADMIN_PASS if DB is empty - /admin/users page: create/delete users, toggle admin, grant/revoke app access - /api/users + /api/users/:id/apps/:app_id REST endpoints (admin-only) Deployed apps: - Every app route now uses Caddy forward_auth pointing at /auth/verify - /auth/verify checks session cookie + user_apps grant (admins have access to all apps) - Unauthenticated -> 302 to /login?next=<original URL> - Authorised but not granted -> /denied page - Session cookie set with Domain=.DOMAIN_SUFFIX for cross-subdomain auth Other: - /denied page for "logged in but not granted" case - Login page skips re-auth if already logged in - Cookie uses SameSite=Lax (required for cross-subdomain redirect flows) https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
28 lines
911 B
TOML
28 lines
911 B
TOML
[package]
|
|
name = "hiy-server"
|
|
version = "0.1.0"
|
|
edition = "2024"
|
|
|
|
[[bin]]
|
|
name = "hiy-server"
|
|
path = "src/main.rs"
|
|
|
|
[dependencies]
|
|
axum = { version = "0.7", features = ["macros"] }
|
|
tokio = { version = "1", features = ["full"] }
|
|
sqlx = { version = "0.7", features = ["sqlite", "runtime-tokio-rustls", "migrate", "chrono"] }
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = "1"
|
|
uuid = { version = "1", features = ["v4"] }
|
|
chrono = { version = "0.4", features = ["serde"] }
|
|
tower-http = { version = "0.5", features = ["cors", "trace"] }
|
|
hmac = "0.12"
|
|
sha2 = "0.10"
|
|
hex = "0.4"
|
|
tracing = "0.1"
|
|
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
|
|
dotenvy = "0.15"
|
|
async-stream = "0.3"
|
|
bcrypt = "0.15"
|
|
anyhow = "1"
|
|
futures = "0.3"
|