feat(gui): add auth core, setup gate, and first-run operator creation

- Add migrations 007-010 for system config, operators, sessions, audit_log - Implement argon2id password hashing via argon2-cffi - Implement session-based authentication with database-stored tokens - Add SetupGateMiddleware to redirect to /setup until first operator created - Add SessionMiddleware to load session from cookie and attach operator - Create /setup, /login, /logout, /change-password routes with CSRF protection - Add periodic session cleanup task (hourly) - Add audit logging for auth events - Update systemd unit with EnvironmentFile for /etc/central/central.env - Add comprehensive tests for auth, middleware, and audit modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-21 18:14:44 +02:00 · 2026-05-17 05:30:49 +00:00 · 2026-05-17 05:30:49 +00:00 · f059f982bc
commit f059f982bc
parent afde118d35
25 changed files with 1758 additions and 16 deletions
--- a/sql/migrations/007_add_config_system.sql
+++ b/sql/migrations/007_add_config_system.sql
@ -0,0 +1,21 @@
+-- Migration 007: Add config.system table for global settings
+-- Idempotent per docs/migrations.md
+
+CREATE TABLE IF NOT EXISTS config.system (
+    id BOOLEAN PRIMARY KEY DEFAULT true CHECK (id = true),
+    setup_complete BOOLEAN NOT NULL DEFAULT false,
+    session_lifetime_days INTEGER NOT NULL DEFAULT 90,
+    map_tile_url TEXT NOT NULL DEFAULT 'https://tile.openstreetmap.org/{z}/{x}/{y}.png',
+    map_attribution TEXT NOT NULL DEFAULT '© OpenStreetMap contributors',
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+-- Reuse existing set_updated_at trigger function
+DROP TRIGGER IF EXISTS system_set_updated_at ON config.system;
+CREATE TRIGGER system_set_updated_at
+    BEFORE UPDATE ON config.system
+    FOR EACH ROW
+    EXECUTE FUNCTION config.set_updated_at();
+
+-- Seed single row
+INSERT INTO config.system (id) VALUES (true) ON CONFLICT DO NOTHING;
--- a/sql/migrations/008_add_operators.sql
+++ b/sql/migrations/008_add_operators.sql
@ -0,0 +1,10 @@
+-- Migration 008: Add config.operators table for user accounts
+-- Idempotent per docs/migrations.md
+
+CREATE TABLE IF NOT EXISTS config.operators (
+    id BIGSERIAL PRIMARY KEY,
+    username TEXT NOT NULL UNIQUE,
+    password_hash TEXT NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    password_changed_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
--- a/sql/migrations/009_add_sessions.sql
+++ b/sql/migrations/009_add_sessions.sql
@ -0,0 +1,11 @@
+-- Migration 009: Add config.sessions table for auth tokens
+-- Idempotent per docs/migrations.md
+
+CREATE TABLE IF NOT EXISTS config.sessions (
+    token TEXT PRIMARY KEY,
+    operator_id BIGINT NOT NULL REFERENCES config.operators(id) ON DELETE CASCADE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    expires_at TIMESTAMPTZ NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS sessions_expires_at_idx ON config.sessions(expires_at);
--- a/sql/migrations/010_add_audit_log.sql
+++ b/sql/migrations/010_add_audit_log.sql
@ -0,0 +1,15 @@
+-- Migration 010: Add config.audit_log table
+-- Idempotent per docs/migrations.md
+
+CREATE TABLE IF NOT EXISTS config.audit_log (
+    id BIGSERIAL PRIMARY KEY,
+    ts TIMESTAMPTZ NOT NULL DEFAULT now(),
+    operator_id BIGINT REFERENCES config.operators(id) ON DELETE SET NULL,
+    action TEXT NOT NULL,
+    target TEXT,
+    before JSONB,
+    after JSONB
+);
+
+CREATE INDEX IF NOT EXISTS audit_log_ts_idx ON config.audit_log(ts DESC);
+CREATE INDEX IF NOT EXISTS audit_log_action_idx ON config.audit_log(action);