feat: make dashboard auth opt-in, off by default#407
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughDashboard authentication is now open by default, with opt-in session authentication and legacy token support across Java, Node, and Python. Server status responses, SPA gating, CLI/configuration options, tests, and authentication documentation were updated accordingly. ChangesDashboard authentication modes
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant DashboardSPA
participant DashboardServer
participant AuthStatus
participant DashboardAPI
DashboardSPA->>DashboardServer: Request auth status
DashboardServer->>AuthStatus: Resolve auth_enabled and setup_required
AuthStatus-->>DashboardSPA: Return authentication status
DashboardSPA->>DashboardAPI: Request dashboard data
DashboardAPI-->>DashboardSPA: Serve open routes or enforce selected auth mode
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/content/docs/java/guides/operations/cli.mdx`:
- Around line 32-38: Update the dashboard CLI example description to state that
including --auth enables session authentication, while omitting --auth serves
the dashboard in open mode; reference the dashboard command documentation text
around the CLI example.
In `@docs/content/docs/java/guides/operations/security.mdx`:
- Around line 60-64: Update the security guide text near the session-auth
description to preserve the public-route exception: replace “every route after
that needs a valid session” with wording that states every non-public or
protected route requires a valid session after setup, while retaining the
existing admin/viewer RBAC, CSRF, and OAuth/OIDC details.
In
`@sdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/AuthHandlers.java`:
- Around line 60-62: Update the unauthenticated session handling in AuthHandlers
methods whoami and changePassword to throw
DashboardError.unauthorized("not_authenticated") instead of notFound or
badRequest, matching Policy.authorize and logoutInvalidatesSession behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 68aec5d6-7f73-4ab4-b41a-0b249c4b0ce7
📒 Files selected for processing (46)
dashboard/src/features/auth/components/auth-gate.tsxdashboard/src/features/auth/types.tsdashboard/src/routes/login.tsxdocs/content/docs/java/guides/integrations/spring.mdxdocs/content/docs/java/guides/operations/cli.mdxdocs/content/docs/java/guides/operations/dashboard.mdxdocs/content/docs/java/guides/operations/security.mdxdocs/content/docs/java/guides/operations/sso.mdxdocs/content/docs/node/guides/operations/cli.mdxdocs/content/docs/node/guides/operations/dashboard-api.mdxdocs/content/docs/node/guides/operations/dashboard.mdxdocs/content/docs/node/guides/operations/security.mdxdocs/content/docs/python/api-reference/cli.mdxdocs/content/docs/python/guides/dashboard/authentication.mdxdocs/content/docs/python/guides/dashboard/index.mdxdocs/content/docs/python/guides/dashboard/rest-api.mdxdocs/content/docs/python/guides/dashboard/sso.mdxdocs/content/docs/python/guides/integrations/django.mdxdocs/content/docs/python/guides/operations/security.mdxdocs/content/docs/shared/guides/operations/deployment.mdxsdks/java/spring/src/main/java/org/byteveda/taskito/spring/TaskitoDashboardAutoConfiguration.javasdks/java/spring/src/main/java/org/byteveda/taskito/spring/TaskitoProperties.javasdks/java/src/main/java/org/byteveda/taskito/Taskito.javasdks/java/src/main/java/org/byteveda/taskito/cli/Cli.javasdks/java/src/main/java/org/byteveda/taskito/dashboard/DashboardServer.javasdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/AuthHandlers.javasdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/TokenAuth.javasdks/java/src/test/java/org/byteveda/taskito/dashboard/DashboardAuthTest.javasdks/node/src/cli/commands/dashboard.tssdks/node/src/dashboard/auth/handlers.tssdks/node/src/dashboard/handlers/core.tssdks/node/src/dashboard/index.tssdks/node/src/dashboard/server.tssdks/node/test/dashboard/oauthEndpoints.test.tssdks/node/test/dashboard/openMode.test.tssdks/node/test/dashboard/server.test.tssdks/node/test/dashboard/sessionAuth.test.tssdks/node/test/integrations/express.test.tssdks/node/test/integrations/fastify.test.tssdks/python/taskito/cli.pysdks/python/taskito/contrib/django/management/commands/taskito_dashboard.pysdks/python/taskito/dashboard/handlers/auth.pysdks/python/taskito/dashboard/routes.pysdks/python/taskito/dashboard/server.pysdks/python/tests/dashboard/test_auth.pysdks/python/tests/dashboard/test_oauth_endpoints.py
Summary
The dashboard previously forced a first-run "create admin" setup screen and mandatory login in every SDK. Auth is now opt-in and off by default: the dashboard loads straight into the UI with no setup screen, login, CSRF, or RBAC unless explicitly enabled. Enabling it restores the previous behavior exactly.
Contract change (all SDKs + shared SPA)
GET /api/auth/statusnow returns{auth_enabled, setup_required}(previously onlysetup_required)./api/auth/*endpoint responds404 {"error": "auth_disabled"}; all remaining routes serve openly.AuthGaterenders the app directly whenauth_enabledisfalse,/loginredirects to/, and the user menu hides itself. A server that omits the field (older build) is treated as auth-on, so the SPA stays backward compatible.TASKITO_DASHBOARD_ADMIN_USER/_PASSWORD) and OAuth-from-env now only run when auth is enabled.Enabling auth
serve_dashboard(queue, auth_enabled=True)taskito dashboard --auth--authorTASKITO_DASHBOARD_AUTH = TrueserveDashboard(queue, { authEnabled: true })taskito dashboard --authDashboardServer.start(queue, port, true)/taskito.dashboard(port, true)--authtaskito.dashboard.auth-enabled=trueAlso fixes a latent Java parity gap found in review:
AuthHandlers.whoami/changePasswordlacked the null-session guard the other implementations already had.Breaking change
Deployments relying on the always-on auth default must now pass the enable flag. Docs were updated accordingly (17 pages): the dashboard serves openly by default; production deployments should enable auth or keep the dashboard on a private network.
Testing
openMode.test.ts), tsc, biomeSummary by CodeRabbit
--auth/authEnabled(and legacy shared-token mode still works when configured).GET /api/auth/statusnow reports bothauth_enabledandsetup_requiredso the SPA can skip the login flow when auth is disabled.