Add credential inventory and shared auth architecture docs
@@ -0,0 +1,88 @@
|
||||
# Credential Inventory
|
||||
|
||||
Last verified: 2026-05-30
|
||||
|
||||
## Already in Vaultwarden
|
||||
|
||||
- **Gitea** — Gitea Admin, Gitea - Shawn Admin Password, Gitea - Shawn Password, Gitea API Token (Hermes), Gitea SSH Info, Gitea - Proxmox Shared Password
|
||||
- **Vaultwarden** — Vaultwarden - Hermes Bot, Vaultwarden - Shawn, Vaultwarden Admin Token
|
||||
- **Matrix/Conduit** — Matrix - 7 user tokens, Matrix Homeserver
|
||||
- **Stalwart Mail** — Stalwart Admin, Stalwart Mail - Postmaster, Stalwart Mail - Shawn
|
||||
- **NPMplus** — NPMplus Admin, NPMplus Cloudflare API Token, NPMplus Server Info
|
||||
- **Proxmox** — Proxmox PVE Root, Proxmox PVE2 Root, Proxmox Server Hosts
|
||||
- **Ollama API** — Ollama Cloud API Key (Default), Ollama Cloud API Key (Profiles)
|
||||
- **OpenCode Go** — OpenCode Go API Key
|
||||
- **Google Gemini** — Google Gemini API Key
|
||||
- **SSH Keys** — SSH Private Key - id_ed25519, SSH Private Key - id_comfyui, SSH Private Key - Ollama Service, SSH Private Key - pve1
|
||||
- **Canteen Apps** — Canteen Passwords
|
||||
- **MSFS Extraction** — Extraction App, Extraction App Info
|
||||
- **Dashboards** — Dashboards (Hermes)
|
||||
- **Cypht Webmail** — Cypht Webmail, Cypht Webmail (postmaster)
|
||||
- **Telegram Bots** — Hermes, Default, Artist, Assistant, Kanban
|
||||
- **TLS** — TLS Certificate - machine-id-scanner
|
||||
- **Audio** — Mixer Config (Audio)
|
||||
- **MyCantaloupe** — MyCantaloupe (API)
|
||||
|
||||
## Missing from Vaultwarden
|
||||
|
||||
### 1. Immich
|
||||
- URL: immich.ourpad.casa (LXC 117, 192.168.0.113)
|
||||
- Admin: shawncanada@gmail.com — password set via web UI (never changed — `shouldChangePassword=true`)
|
||||
- DB: postgres/*** on localhost (very weak password)
|
||||
- ML: GPU via gaming PC RTX 2080 at 192.168.0.181:3003
|
||||
|
||||
### 2. Obsidian LiveSync (CouchDB)
|
||||
- Connection URI encrypted in LiveSync config — passphrase known only to user
|
||||
- Remote config name: "hermes"
|
||||
|
||||
### 3. RustDesk
|
||||
- Client at this machine (192.168.0.127) → server at rustdesk.ourpad.casa (68.202.6.107)
|
||||
- Client password + ED25519 key pair stored in local config (encrypted)
|
||||
- Server (hbbs/hbbr) keys not found — need to locate
|
||||
|
||||
### 4. Portainer — NOT deployed
|
||||
### 5. Honcho
|
||||
- API: http://192.168.0.223:8100 (no auth — LAN only)
|
||||
- DB: postgres:honcho_pg_secret@database:5432/postgres
|
||||
- Cache: redis://redis:6379/0
|
||||
- API keys are placeholder *** (uses local OpenCode Go, no real API key needed)
|
||||
|
||||
## Shared Authentication
|
||||
|
||||
All canteen web apps share a single auth system:
|
||||
|
||||
- **Auth module:** `shared-auth/canteen_auth.py` in projects/
|
||||
- **Backend:** assets.db (users + sessions tables) via SQLite
|
||||
- **Protocol:** Bearer token in Authorization header
|
||||
- **SSO:** Cross-subdomain cookie at `.ourpad.casa` with `auth_token`
|
||||
- **Password hashing:** SHA-256 (legacy, not bcrypt)
|
||||
- **Token:** 64-char hex, stored in sessions table with expiry
|
||||
|
||||
**Apps sharing this auth:**
|
||||
|
||||
App | URL | Port | Notes
|
||||
---|---|---|---
|
||||
canteen-asset-tracker | canteen.ourpad.casa | 8901 | Main app
|
||||
canteen-admin-server | canteen.ourpad.casa | 8901:8090 | Admin backend
|
||||
daily-route | route.ourpad.casa | 8904, 8905, 8906 | Route tools
|
||||
tech-photo-upload | photo.ourpad.casa | 8912 | Photo tool
|
||||
system-dashboard | dashboard.ourpad.casa | 8080 | Dashboard
|
||||
|
||||
**Canteen users** are created in assets.db with SHA-256 hashed passwords. The shared auth gives every canteen app the same login credentials.
|
||||
|
||||
### Auth per Service — Summary
|
||||
|
||||
| Service | Auth Method | Credential Source |
|
||||
|---|---|---|
|
||||
| Gitea | Built-in user DB (bcrypt) | Gitea users + API tokens |
|
||||
| Vaultwarden | Master password + 2FA | Vaultwarden Admin Token |
|
||||
| Matrix/Conduit | Access tokens | Per-bot tokens |
|
||||
| Stalwart Mail | Username/password | SMTP/IMAP credentials |
|
||||
| NPMplus | Built-in admin + Cloudflare API | Admin + API token |
|
||||
| Proxmox | SSH key + root password | SSH key in VW |
|
||||
| Immich | Email/password (bcrypt) | Web UI set |
|
||||
| Canteen apps | Bearer token (SHA-256) | assets.db users/sessions |
|
||||
| RustDesk | ED25519 key pair + password | Client config |
|
||||
| Honcho | None (LAN-only, AUTH=*** | No external auth needed |
|
||||
| Ollama API | API key | VW |
|
||||
| OpenCode Go | API key | VW |
|
||||
@@ -0,0 +1,73 @@
|
||||
# Shared Authentication — Canteen Apps
|
||||
|
||||
All canteen web apps authenticate through a shared module that validates against a single database.
|
||||
|
||||
## Architecture
|
||||
|
||||
```
|
||||
┌─────────────────────────────────────────────────────────────┐
|
||||
│ User's Browser │
|
||||
│ Authorization: Bearer <token> │
|
||||
│ Cookie: auth_token=.ourpad.casa │
|
||||
└──────────┬──────────────────────┬──────────────────────────┘
|
||||
│ │
|
||||
▼ ▼
|
||||
┌──────────────────┐ ┌──────────────────┐ ┌──────────┐
|
||||
│ canteen.ourpad │ │ route.ourpad │ │ (others) │
|
||||
│ .casa:8901 │ │ .casa:8904-06 │ │ │
|
||||
└──────┬───────────┘ └──────┬───────────┘ └────┬─────┘
|
||||
│ │ │
|
||||
└──────────────────────┴─────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌────────────────────┐
|
||||
│ shared-auth/ │
|
||||
│ canteen_auth.py │
|
||||
│ (FastAPI MW) │
|
||||
└────────┬───────────┘
|
||||
│
|
||||
▼
|
||||
┌────────────────────┐
|
||||
│ assets.db │
|
||||
│ ┌─────────────┐ │
|
||||
│ │ users │ │
|
||||
│ │ sessions │ │
|
||||
│ └─────────────┘ │
|
||||
└────────────────────┘
|
||||
```
|
||||
|
||||
## Key Details
|
||||
|
||||
- **Module location:** `projects/shared-auth/canteen_auth.py`
|
||||
- **DB path:** Defaults to `projects/canteen-asset-tracker/assets.db`
|
||||
- **Password hash:** SHA-256 (NOT bcrypt — legacy, stored in `password_hash` column)
|
||||
- **Tokens:** 64-byte hex via `secrets.token_hex(32)`, stored in `sessions` table
|
||||
- **Token expiry:** 30 days (remember_me) / 1 day (default)
|
||||
- **SSO cookie:** `auth_token` at `.ourpad.casa`, `secure=true`, `samesite=lax`
|
||||
|
||||
## Apps Using This Auth
|
||||
|
||||
| App | URL | Ports(s) | Path |
|
||||
|---|---|---|---|
|
||||
| canteen-asset-tracker | canteen.ourpad.casa | 8901, 8090 (admin) | `/data/compose/3/` |
|
||||
| daily-route | route.ourpad.casa | 8904, 8905, 8906 | `/data/compose/6/` |
|
||||
| tech-photo-upload | photo.ourpad.casa | 8912 | `/data/compose/5/` |
|
||||
| system-dashboard | dashboard.ourpad.casa | 8080 | `/data/compose/7/` |
|
||||
|
||||
## Login Flow
|
||||
|
||||
1. User POSTs `{username, password}` to `/api/auth/login`
|
||||
2. Server hashes password with SHA-256, looks up user in `users` table
|
||||
3. If valid, creates `sessions` row with token + expiry
|
||||
4. Returns token in JSON body AND sets `auth_token` cookie at `.ourpad.casa`
|
||||
5. All subsequent API calls validate via Bearer token or cookie
|
||||
|
||||
## Admins
|
||||
|
||||
All canteen apps use the same user DB. Admin is determined by `role` column in `users` table (typically `role='admin'`). Shared auth module exposes `request.state.current_user` with `{id, username, role, created_at}`.
|
||||
|
||||
## Maintenance
|
||||
|
||||
- To add a user: INSERT into `users` with SHA-256 password hash
|
||||
- To revoke access: DELETE from `sessions` by user_id
|
||||
- Password reset: update `password_hash` column (SHA-256 of new password)
|
||||
Reference in New Issue
Block a user