Implement M7: auth middleware, rate limiting, CORS, and GUI login flow

Add SHA-256 API key authentication with constant-time comparison, configurable token bucket rate limiter, CORS origin allowlist middleware, and React auth context with login page. Auth info endpoint bootstraps GUI without credentials. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-09 10:58:54 +00:00 · 2026-03-15 11:58:13 -04:00
parent 73f27bfb48
commit 1904a92359
12 changed files with 590 additions and 71 deletions
@@ -0,0 +1,24 @@
+import type { ReactNode } from 'react';
+import { useAuth } from './AuthProvider';
+import LoginPage from '../pages/LoginPage';
+
+export default function AuthGate({ children }: { children: ReactNode }) {
+  const { loading, authRequired, authenticated } = useAuth();
+
+  if (loading) {
+    return (
+      <div className="min-h-screen bg-slate-900 flex items-center justify-center">
+        <div className="text-center">
+          <h1 className="text-2xl font-bold text-blue-400 mb-2">certctl</h1>
+          <p className="text-sm text-slate-400">Connecting...</p>
+        </div>
+      </div>
+    );
+  }
+
+  if (authRequired && !authenticated) {
+    return <LoginPage />;
+  }
+
+  return <>{children}</>;
+}
@@ -0,0 +1,87 @@
+import { createContext, useContext, useState, useEffect, useCallback } from 'react';
+import type { ReactNode } from 'react';
+import { getAuthInfo, checkAuth, setApiKey } from '../api/client';
+
+interface AuthState {
+  loading: boolean;
+  authRequired: boolean;
+  authenticated: boolean;
+  authType: string;
+  login: (key: string) => Promise<void>;
+  logout: () => void;
+  error: string | null;
+}
+
+const AuthContext = createContext<AuthState>({
+  loading: true,
+  authRequired: false,
+  authenticated: false,
+  authType: 'none',
+  login: async () => {},
+  logout: () => {},
+  error: null,
+});
+
+export function useAuth() {
+  return useContext(AuthContext);
+}
+
+export default function AuthProvider({ children }: { children: ReactNode }) {
+  const [loading, setLoading] = useState(true);
+  const [authRequired, setAuthRequired] = useState(false);
+  const [authenticated, setAuthenticated] = useState(false);
+  const [authType, setAuthType] = useState('none');
+  const [error, setError] = useState<string | null>(null);
+
+  // Check if server requires auth on mount
+  useEffect(() => {
+    getAuthInfo()
+      .then((info) => {
+        setAuthType(info.auth_type);
+        setAuthRequired(info.required);
+        if (!info.required) {
+          setAuthenticated(true);
+        }
+      })
+      .catch(() => {
+        // If auth/info fails, assume no auth required (server may be old version)
+        setAuthenticated(true);
+      })
+      .finally(() => setLoading(false));
+  }, []);
+
+  // Listen for 401 events from the API client
+  useEffect(() => {
+    const handler = () => {
+      setAuthenticated(false);
+      setApiKey(null);
+      setError('Session expired. Please re-enter your API key.');
+    };
+    window.addEventListener('certctl:auth-required', handler);
+    return () => window.removeEventListener('certctl:auth-required', handler);
+  }, []);
+
+  const login = useCallback(async (key: string) => {
+    setError(null);
+    try {
+      await checkAuth(key);
+      setApiKey(key);
+      setAuthenticated(true);
+    } catch {
+      setError('Invalid API key');
+      throw new Error('Invalid API key');
+    }
+  }, []);
+
+  const logout = useCallback(() => {
+    setApiKey(null);
+    setAuthenticated(false);
+    setError(null);
+  }, []);
+
+  return (
+    <AuthContext.Provider value={{ loading, authRequired, authenticated, authType, login, logout, error }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
@@ -1,4 +1,5 @@
 import { NavLink, Outlet } from 'react-router-dom';
+import { useAuth } from './AuthProvider';

 const nav = [
  { to: '/',              label: 'Dashboard',     icon: 'M3 12l2-2m0 0l7-7 7 7M5 10v10a1 1 0 001 1h3m10-11l2 2m-2-2v10a1 1 0 01-1 1h-3m-4 0h4' },
@@ -21,6 +22,8 @@ function Icon({ d }: { d: string }) {
 }

 export default function Layout() {
+  const { authRequired, logout } = useAuth();
+
  return (
    <div className="flex h-screen overflow-hidden">
      {/* Sidebar */}
@@ -48,8 +51,19 @@ export default function Layout() {
            </NavLink>
          ))}
        </nav>
-        <div className="p-4 border-t border-slate-700 text-xs text-slate-500">
-          certctl v1.0-dev
+        <div className="p-4 border-t border-slate-700 flex items-center justify-between">
+          <span className="text-xs text-slate-500">certctl v1.0-dev</span>
+          {authRequired && (
+            <button
+              onClick={logout}
+              className="text-xs text-slate-500 hover:text-slate-300 transition-colors"
+              title="Sign out"
+            >
+              <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={1.5}>
+                <path strokeLinecap="round" strokeLinejoin="round" d="M15.75 9V5.25A2.25 2.25 0 0013.5 3h-6a2.25 2.25 0 00-2.25 2.25v13.5A2.25 2.25 0 007.5 21h6a2.25 2.25 0 002.25-2.25V15m3 0l3-3m0 0l-3-3m3 3H9" />
+              </svg>
+            </button>
+          )}
        </div>
      </aside>