Clone
1
Shared Auth Architecture
Shawn edited this page 2026-05-30 00:19:35 -04:00
Shared Authentication — Canteen Apps
All canteen web apps authenticate through a shared module that validates against a single database.
Architecture
┌─────────────────────────────────────────────────────────────┐
│ User's Browser │
│ Authorization: Bearer <token> │
│ Cookie: auth_token=.ourpad.casa │
└──────────┬──────────────────────┬──────────────────────────┘
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────┐
│ canteen.ourpad │ │ route.ourpad │ │ (others) │
│ .casa:8901 │ │ .casa:8904-06 │ │ │
└──────┬───────────┘ └──────┬───────────┘ └────┬─────┘
│ │ │
└──────────────────────┴─────────────────────┘
│
▼
┌────────────────────┐
│ shared-auth/ │
│ canteen_auth.py │
│ (FastAPI MW) │
└────────┬───────────┘
│
▼
┌────────────────────┐
│ assets.db │
│ ┌─────────────┐ │
│ │ users │ │
│ │ sessions │ │
│ └─────────────┘ │
└────────────────────┘
Key Details
- Module location:
projects/shared-auth/canteen_auth.py - DB path: Defaults to
projects/canteen-asset-tracker/assets.db - Password hash: SHA-256 (NOT bcrypt — legacy, stored in
password_hashcolumn) - Tokens: 64-byte hex via
secrets.token_hex(32), stored insessionstable - Token expiry: 30 days (remember_me) / 1 day (default)
- SSO cookie:
auth_tokenat.ourpad.casa,secure=true,samesite=lax
Apps Using This Auth
| App | URL | Ports(s) | Path |
|---|---|---|---|
| canteen-asset-tracker | canteen.ourpad.casa | 8901, 8090 (admin) | /data/compose/3/ |
| daily-route | route.ourpad.casa | 8904, 8905, 8906 | /data/compose/6/ |
| tech-photo-upload | photo.ourpad.casa | 8912 | /data/compose/5/ |
| system-dashboard | dashboard.ourpad.casa | 8080 | /data/compose/7/ |
Login Flow
- User POSTs
{username, password}to/api/auth/login - Server hashes password with SHA-256, looks up user in
userstable - If valid, creates
sessionsrow with token + expiry - Returns token in JSON body AND sets
auth_tokencookie at.ourpad.casa - All subsequent API calls validate via Bearer token or cookie
Admins
All canteen apps use the same user DB. Admin is determined by role column in users table (typically role='admin'). Shared auth module exposes request.state.current_user with {id, username, role, created_at}.
Maintenance
- To add a user: INSERT into
userswith SHA-256 password hash - To revoke access: DELETE from
sessionsby user_id - Password reset: update
password_hashcolumn (SHA-256 of new password)