binarybeachio: Bucket-4 trusted-JWT auth — replaces in-place github.py patch
Migrates this fork to the binarybeachio platform-architecture pivot: oauth2-proxy at the edge enforces a Zitadel session, the auth-bridge mints a short-lived RS256 JWT, and a NEW additive endpoint at /auth/sign-in-trusted/ verifies the JWT, claims its jti against shared-redis (single-use replay protection, fail-closed), find-or-creates the User, and starts a Django session via user_login(). Net surface vs. upstream-clean: 1 new view file + 1 url path + 1 exports __init__ entry + 7 reserved error codes (6000-6099 range). github.py and the GitHub-button rebrand patch are reverted to upstream — sign-in entry-point UX is now driven by Traefik redirectregex on /sign-in* in infrastructure/plane/docker-compose.yml. Replay protection contract: jti claim minted by bridge, consumed via Redis SETNX with ttl = exp - now + 30s. Documented at binarybeachio/docs/architecture/bridge-jwt-replay-protection.md. Public-key transport: BB_BRIDGE_PUBLIC_KEY_URL env points at the in-cluster bridge's /.well-known/bb-bridge.pub.pem (avoids the env-PEM corruption issue Coolify has with backslash-escaped keys). Endpoint is implicitly disabled (404) when env unset — vanilla upstream behavior preserved. Storage patches (Patch 2) unchanged. Brand asset preserved (dormant). Pre-migration source state preserved on branch pre-migration-2026-05-04. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
d950222749
commit
712612865d
10 changed files with 490 additions and 232 deletions
|
|
@ -1,13 +1,17 @@
|
|||
# bb-plane-fork local-test env — copy to `.env.bb-local` and fill in.
|
||||
# Gitignored. Used by docker-compose.bb-local.yml.
|
||||
|
||||
# Zitadel OIDC client created at https://auth.binarybeach.io/ui/console/
|
||||
# (Project → Add Application → Web → Code flow). Redirect URIs to register:
|
||||
# http://localhost:8888/auth/github/callback/
|
||||
# https://pm.binarybeach.io/auth/github/callback/
|
||||
GITHUB_CLIENT_ID=__paste-from-zitadel__
|
||||
GITHUB_CLIENT_SECRET=__paste-from-zitadel__
|
||||
# Bucket-4 trusted-JWT endpoint (apps/api/plane/authentication/views/app/trusted.py).
|
||||
# Activated when this URL is set; unset → endpoint returns 404 (regression-safe
|
||||
# default; vanilla upstream behavior preserved out of the box).
|
||||
#
|
||||
# Production points at the in-cluster bridge service:
|
||||
# http://auth-bridge-<uuid>:3000/.well-known/bb-bridge.pub.pem
|
||||
# Local dev typically points at a manually-served PEM (e.g. via `python3 -m http.server`)
|
||||
# or at the production bridge for read-only key fetch testing:
|
||||
# https://bridge.binarybeach.io/.well-known/bb-bridge.pub.pem
|
||||
BB_BRIDGE_PUBLIC_KEY_URL=
|
||||
|
||||
# Zitadel host. Setting this activates the OIDC code path in our patched
|
||||
# GitHubOAuthProvider. Override here if testing against a different Zitadel.
|
||||
ZITADEL_DOMAIN=auth.binarybeach.io
|
||||
# When BB_BRIDGE_PUBLIC_KEY_URL is unset, the trusted endpoint is disabled and
|
||||
# Plane behaves like upstream-vanilla (email+password sign-in, the four
|
||||
# stock OAuth providers). That's the right default for purely-local hacking.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue