Daniel Maksymilian Syrnicki
470823b347
All checks were successful
Build ISO / build-iso (push) Successful in 17m30s
CI / lint (push) Successful in 27s
CI / test (push) Successful in 43s
CI / validate-json (push) Successful in 31s
CI / markdown-links (push) Successful in 15s
Release / release (push) Successful in 11m38s
One-admin, one-password model — all of /apps, /api/*, /, and
/settings/ now require a signed-in session. Passwords are werkzeug
PBKDF2-hashed in /var/lib/furtka/users.json (mode 0600, atomic write
via the same .tmp+chmod+rename dance installer.write_env uses).
Sessions are secrets.token_urlsafe(32) tokens held in a module-level
SessionStore dict (thread-safe lock included for when we swap to
ThreadingHTTPServer). Cookies are HttpOnly, SameSite=Strict, and
Path=/, with Secure set when X-Forwarded-Proto from Caddy says HTTPS.
Two bootstrap paths:
* Fresh install — webinstaller step-1 collects Linux user + password,
the chroot post-install step hashes the password and writes
users.json on the target partition. First browser visit lands on
/login with the account already present.
* Upgrade from 26.10-alpha — no users.json yet, so /login detects
setup_needed() and renders a first-run setup form. POST creates
the admin and immediately logs in.
POST /logout revokes the server session and clears the cookie.
Unauthenticated HTML requests 302 to /login; unauthenticated API
requests 401 JSON so fetch() callers see a clean error. A sleep(0.5)
on failed logins is the brute-force speed bump on top of werkzeug's
~600k-iter PBKDF2.
Caddyfile gains /login* and /logout* handle blocks in the shared
furtka_routes snippet so both :80 and the HTTPS hostname block
forward the auth endpoints to localhost:7000. Without this Caddy
would 404 from the static file server.
Test surface:
* tests/test_auth.py (new, 19 cases): hash roundtrip, users.json
I/O, session create/lookup/expire/revoke.
* tests/test_api.py: new admin_session fixture; existing HTTP
tests updated to send the cookie; new tests cover login setup,
login success, wrong-password 401, logout revocation, and the
guard's 302/401 split.
* tests/test_webinstaller_assets.py: new case that unpacks the
users.json _write_file_cmd body and verifies the werkzeug hash
round-trips against the step-1 password.
Bumped version to 26.11-alpha and rolled CHANGELOG. Also folded in
the ruff-format fix that was pending from 26.10-alpha's lint red.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
86 lines
2.8 KiB
Caddyfile
86 lines
2.8 KiB
Caddyfile
# Serves the Furtka landing page + live JSON on :80 (plain HTTP) and on
|
|
# HTTPS via Caddy's built-in `tls internal` — locally-issued certs signed
|
|
# by a root CA that Caddy generates on first start and stores under
|
|
# /var/lib/caddy/pki/authorities/local/. Static pages are read from
|
|
# /opt/furtka/current/ — updates flip the symlink and everything picks up
|
|
# the new content without a Caddy restart (a `systemctl reload caddy` is
|
|
# still triggered post-swap to flush the file-server's handle cache).
|
|
# /apps and /api are reverse-proxied to the resource-manager API
|
|
# (furtka serve, bound to 127.0.0.1:7000).
|
|
#
|
|
# Hostname templating: __FURTKA_HOSTNAME__ gets substituted with the
|
|
# install-time hostname by webinstaller/app.py on first install and by
|
|
# furtka.updater._refresh_caddyfile on every self-update. A bare `:443
|
|
# { tls internal }` (no hostname) never triggers leaf-cert issuance, so
|
|
# SNI-based handshakes die with `SSL_ERROR_INTERNAL_ERROR_ALERT` — the
|
|
# 26.4-alpha regression this file exists to cure.
|
|
#
|
|
# Force-HTTPS: /etc/caddy/furtka.d/*.caddyfile gets imported into the :80
|
|
# block. The /api/furtka/https/force endpoint creates or removes
|
|
# redirect.caddyfile there to toggle the HTTP→HTTPS redirect, then reloads
|
|
# Caddy. Glob imports silently no-op on an empty/missing directory, so the
|
|
# toggle-off state is "no file present" rather than "empty file".
|
|
{
|
|
# Named-hostname :443 blocks would otherwise make Caddy add its own
|
|
# HTTP→HTTPS redirect — but we already serve our own `:80` block and
|
|
# the opt-in /settings toggle owns the redirect. Disable the built-in
|
|
# to keep a single source of truth.
|
|
auto_https disable_redirects
|
|
}
|
|
|
|
(furtka_routes) {
|
|
handle /api/* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle /apps* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle /login* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle /logout* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
# Runtime JSON lives under /var/lib/furtka/ so it survives self-updates
|
|
# (which only swap /opt/furtka/current).
|
|
handle /status.json {
|
|
root * /var/lib/furtka
|
|
file_server
|
|
}
|
|
handle /furtka.json {
|
|
root * /var/lib/furtka
|
|
file_server
|
|
}
|
|
handle /update-state.json {
|
|
root * /var/lib/furtka
|
|
file_server
|
|
}
|
|
# Download the local root CA cert Caddy generated for `tls internal`.
|
|
# Available on both :80 and :443 so users can grab it before they've
|
|
# trusted it. The private key next to it stays 0600 / caddy-owned.
|
|
handle /rootCA.crt {
|
|
root * /var/lib/caddy/pki/authorities/local
|
|
rewrite * /root.crt
|
|
file_server
|
|
header Content-Type "application/x-x509-ca-cert"
|
|
header Content-Disposition "attachment; filename=furtka-local-rootCA.crt"
|
|
}
|
|
handle {
|
|
root * /opt/furtka/current/assets/www
|
|
file_server
|
|
encode gzip
|
|
}
|
|
log {
|
|
output stdout
|
|
}
|
|
}
|
|
|
|
:80 {
|
|
import /etc/caddy/furtka.d/*.caddyfile
|
|
import furtka_routes
|
|
}
|
|
|
|
__FURTKA_HOSTNAME__.local, __FURTKA_HOSTNAME__ {
|
|
tls internal
|
|
import furtka_routes
|
|
}
|