git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity

feat(M2): Authentication, Authorization & Frontend Shell

Browse Source 
- pm-auth::password: Argon2id (m=65536,t=3,p=1) hashing + verification
- pm-auth::jwt: EdDSA/Ed25519 JWT issuance + validation (15-min TTL)
- pm-auth::refresh: Opaque 256-bit refresh tokens, SHA-256 hashed,
  1-hour sliding inactivity timeout, rotation on use, revocable
- pm-auth::mfa_totp: TOTP setup/verify (HMAC-SHA1, 6-digit, 30s)
  with otpauth:// URI generation (Google Authenticator compatible)
- pm-auth::mfa_webauthn: Stub (full implementation deferred)
- pm-auth::rbac: Axum middleware for JWT auth + IP whitelist +
  admin/operator role enforcement + FromRequestParts extractor
- pm-auth::session: Full login flow (password → MFA → tokens),
  token refresh, logout, force-logout
- pm-web auth routes: POST /api/v1/auth/login|refresh|logout,
  GET /api/v1/auth/mfa/setup, POST /api/v1/auth/mfa/verify
- IP whitelist middleware on all protected connection points
- migrations/002_seed_admin.sql: Default admin account seed
- Frontend: Auth store (Zustand with persistence), login page with
  MFA prompt, MFA setup page (stepper), JWT auto-refresh interceptor,
  route guards (RequireAuth), updated App.tsx routing
- cargo check --workspace: zero errors, 1 minor warning

Closes M2.
This commit is contained in:
Echo
2026-04-23 16:10:08 +00:00
parent da5a94d838
commit 6811f84a7c
22 changed files with 2014 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
migrations/002_seed_admin.sql Normal file
View File

@ -0,0 +1,36 @@
-- Migration: 002_seed_admin
-- Description: Seed the default admin account.
--
-- Default credentials (CHANGE BEFORE PRODUCTION USE):
-- Username: admin
-- Password: ChangeMe123!
--
-- The password hash below is Argon2id of "ChangeMe123!" with
-- m=65536, t=3, p=1. Replace after first login.
INSERT INTO users (
id,
username,
display_name,
email,
role,
auth_provider,
password_hash,
mfa_enabled,
is_active,
force_password_reset
)
VALUES (
gen_random_uuid(),
'admin',
'Administrator',
'admin@localhost',
'admin',
'local',
-- Argon2id hash of "ChangeMe123!" — REPLACE IN PRODUCTION
'$argon2id$v=19$m=65536,t=3,p=1$placeholder$placeholder',
FALSE, -- MFA disabled by default; admin must set up on first login
TRUE,
TRUE -- Force password reset on first login
)
ON CONFLICT (username) DO NOTHING;