admin/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
homelab/apps/finance/services/api/main
History
Gonçalo Rodrigues cedc0c2192 feat: self-contained auth system for standalone cloud deployment (#27) 
* fix(k8s): expose / without auth so homepage is publicly reachable

Adds a second Ingress (api-public) for the exact path / with no
forward-auth middleware. Traefik prefers the Exact match for the root,
while the Prefix ingress (with auth) still protects all other routes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: homepage renders correctly at / for unauthenticated visitors

Two fixes:
1. Added parseStandalone() helper — parseTmpl() roots on "" but ParseFS()
   stores standalone (no {{define}}) files under their base filename, so
   Execute() ran the empty root and returned Content-Length: 0.
2. Added router.priority: 100 annotation to api-public ingress so Traefik
   picks the Exact / rule over the Prefix / rule (Traefik ranks by rule
   string length by default, which made PathPrefix beat Path).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(k8s): remove forward-auth middleware from finance ingress

The app now handles its own auth at /auth/login — Traefik no longer
needs to forward-auth requests, which was causing redirects to
auth.homelab.local instead of finance.homelab.local.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(auth): harden authentication for cloud deployment

1. Secure cookie flag — set when BASE_URL starts with https://
2. SameSite=Strict on session cookie (was Lax)
3. Rate limiter — per-IP, 10 failures → 15-min lockout, auto-cleanup goroutine
4. Session rotation on login — old session deleted before issuing new one
   (prevents session fixation attacks)
5. bcrypt cost 12 (was DefaultCost/10, OWASP minimum for cloud)
6. Security headers middleware on all responses:
   X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
   Permissions-Policy, Content-Security-Policy, HSTS (when HTTPS)
7. Structured audit logging — login success/failure/lockout with IP + email
8. Google OAuth state cookie gets Secure flag too

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 18:30:19 +01:00
..
templates
feat: public landing page + split personal/business nav (#26)
2026-06-15 18:18:09 +01:00
testdata
test: add missing traderepublic_securities.csv testdata fixture
2026-06-13 19:32:17 +01:00
.DS_Store
csv_test.go
csv.go
handler_auth.go
feat: self-contained auth system for standalone cloud deployment (#27)
2026-06-15 18:30:19 +01:00
handler_org.go
feat: public landing page + split personal/business nav (#26)
2026-06-15 18:18:09 +01:00
handler_test.go
feat: self-contained auth system for standalone cloud deployment (#27)
2026-06-15 18:30:19 +01:00
handler.go
feat: self-contained auth system for standalone cloud deployment (#27)
2026-06-15 18:30:19 +01:00
main.go
feat: self-contained auth system for standalone cloud deployment (#27)
2026-06-15 18:30:19 +01:00
models_auth.go
feat: public landing page + split personal/business nav (#26)
2026-06-15 18:18:09 +01:00
models_org.go
feat: animated homepage + split personal/business navigation (#25)
2026-06-14 17:02:37 +01:00
models.go
feat: user-editable ISIN→ticker mappings for unrecognised holdings
2026-06-13 19:05:36 +01:00
portfolio_test.go
portfolio.go
feat: user-editable ISIN→ticker mappings for unrecognised holdings
2026-06-13 19:05:36 +01:00
seed.go
feat: public landing page + split personal/business nav (#26)
2026-06-15 18:18:09 +01:00
store_auth.go
feat: public landing page + split personal/business nav (#26)
2026-06-15 18:18:09 +01:00
store_org.go
feat: add checkable goals list to org events (#24)
2026-06-14 16:15:55 +01:00
store.go
feat: user-editable ISIN→ticker mappings for unrecognised holdings
2026-06-13 19:05:36 +01:00