1
Shared Auth Architecture
Shawn edited this page 2026-05-30 00:19:35 -04:00

Shared Authentication — Canteen Apps

All canteen web apps authenticate through a shared module that validates against a single database.

Architecture

┌─────────────────────────────────────────────────────────────┐
│                    User's Browser                           │
│                  Authorization: Bearer <token>              │
│              Cookie: auth_token=.ourpad.casa                │
└──────────┬──────────────────────┬──────────────────────────┘
           │                      │
           ▼                      ▼
┌──────────────────┐   ┌──────────────────┐   ┌──────────┐
│  canteen.ourpad  │   │  route.ourpad    │   │ (others) │
│   .casa:8901     │   │  .casa:8904-06   │   │          │
└──────┬───────────┘   └──────┬───────────┘   └────┬─────┘
       │                      │                     │
       └──────────────────────┴─────────────────────┘
                           │
                           ▼
              ┌────────────────────┐
              │   shared-auth/     │
              │  canteen_auth.py   │
              │  (FastAPI MW)      │
              └────────┬───────────┘
                       │
                       ▼
              ┌────────────────────┐
              │    assets.db       │
              │  ┌─────────────┐   │
              │  │   users     │   │
              │  │  sessions   │   │
              │  └─────────────┘   │
              └────────────────────┘

Key Details

  • Module location: projects/shared-auth/canteen_auth.py
  • DB path: Defaults to projects/canteen-asset-tracker/assets.db
  • Password hash: SHA-256 (NOT bcrypt — legacy, stored in password_hash column)
  • Tokens: 64-byte hex via secrets.token_hex(32), stored in sessions table
  • Token expiry: 30 days (remember_me) / 1 day (default)
  • SSO cookie: auth_token at .ourpad.casa, secure=true, samesite=lax

Apps Using This Auth

App URL Ports(s) Path
canteen-asset-tracker canteen.ourpad.casa 8901, 8090 (admin) /data/compose/3/
daily-route route.ourpad.casa 8904, 8905, 8906 /data/compose/6/
tech-photo-upload photo.ourpad.casa 8912 /data/compose/5/
system-dashboard dashboard.ourpad.casa 8080 /data/compose/7/

Login Flow

  1. User POSTs {username, password} to /api/auth/login
  2. Server hashes password with SHA-256, looks up user in users table
  3. If valid, creates sessions row with token + expiry
  4. Returns token in JSON body AND sets auth_token cookie at .ourpad.casa
  5. All subsequent API calls validate via Bearer token or cookie

Admins

All canteen apps use the same user DB. Admin is determined by role column in users table (typically role='admin'). Shared auth module exposes request.state.current_user with {id, username, role, created_at}.

Maintenance

  • To add a user: INSERT into users with SHA-256 password hash
  • To revoke access: DELETE from sessions by user_id
  • Password reset: update password_hash column (SHA-256 of new password)