Skip to content

feat: make dashboard auth opt-in, off by default#407

Merged
pratyush618 merged 9 commits into
masterfrom
feat/dashboard-auth-opt-in
Jul 11, 2026
Merged

feat: make dashboard auth opt-in, off by default#407
pratyush618 merged 9 commits into
masterfrom
feat/dashboard-auth-opt-in

Conversation

@pratyush618

@pratyush618 pratyush618 commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

The dashboard previously forced a first-run "create admin" setup screen and mandatory login in every SDK. Auth is now opt-in and off by default: the dashboard loads straight into the UI with no setup screen, login, CSRF, or RBAC unless explicitly enabled. Enabling it restores the previous behavior exactly.

Contract change (all SDKs + shared SPA)

  • GET /api/auth/status now returns {auth_enabled, setup_required} (previously only setup_required).
  • With auth disabled, every other /api/auth/* endpoint responds 404 {"error": "auth_disabled"}; all remaining routes serve openly.
  • SPA AuthGate renders the app directly when auth_enabled is false, /login redirects to /, and the user menu hides itself. A server that omits the field (older build) is treated as auth-on, so the SPA stays backward compatible.
  • Legacy shared-token mode is unchanged and takes precedence over the new flag.
  • Env admin bootstrap (TASKITO_DASHBOARD_ADMIN_USER/_PASSWORD) and OAuth-from-env now only run when auth is enabled.

Enabling auth

SDK Programmatic CLI Framework
Python serve_dashboard(queue, auth_enabled=True) taskito dashboard --auth Django: --auth or TASKITO_DASHBOARD_AUTH = True
Node serveDashboard(queue, { authEnabled: true }) taskito dashboard --auth
Java DashboardServer.start(queue, port, true) / taskito.dashboard(port, true) --auth Spring: taskito.dashboard.auth-enabled=true

Also fixes a latent Java parity gap found in review: AuthHandlers.whoami/changePassword lacked the null-session guard the other implementations already had.

Breaking change

Deployments relying on the always-on auth default must now pass the enable flag. Docs were updated accordingly (17 pages): the dashboard serves openly by default; production deployments should enable auth or keep the dashboard on a private network.

Testing

  • Python: 276 dashboard tests (5 new open-mode tests), ruff, mypy
  • Node: 106 dashboard + integration tests (new openMode.test.ts), tsc, biome
  • Java: full gradle build with 4 new open-mode tests, spotless, checkstyle
  • SPA: typecheck, lint, production build; docs typecheck/lint/build

Summary by CodeRabbit

  • New Features
    • Dashboards run openly by default; session authentication is available via --auth / authEnabled (and legacy shared-token mode still works when configured).
    • GET /api/auth/status now reports both auth_enabled and setup_required so the SPA can skip the login flow when auth is disabled.
  • Bug Fixes
    • Auth-only endpoints are consistently rejected when auth is disabled, and session-required actions correctly fail without an active session.
  • Documentation
    • Updated Java/Node/Python/Django and CLI guides, plus security/deployment/SSO docs, to reflect the three authentication modes and new status/route behavior.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7a4ed9b5-80fc-4b19-86aa-dbe7c333be2f

📥 Commits

Reviewing files that changed from the base of the PR and between e4e7d56 and 1b0b963.

📒 Files selected for processing (3)
  • docs/content/docs/java/guides/operations/cli.mdx
  • docs/content/docs/java/guides/operations/security.mdx
  • sdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/AuthHandlers.java
✅ Files skipped from review due to trivial changes (2)
  • docs/content/docs/java/guides/operations/security.mdx
  • docs/content/docs/java/guides/operations/cli.mdx
🚧 Files skipped from review as they are similar to previous changes (1)
  • sdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/AuthHandlers.java

📝 Walkthrough

Walkthrough

Dashboard authentication is now open by default, with opt-in session authentication and legacy token support across Java, Node, and Python. Server status responses, SPA gating, CLI/configuration options, tests, and authentication documentation were updated accordingly.

Changes

Dashboard authentication modes

Layer / File(s) Summary
Java server auth modes and configuration
sdks/java/src/main/java/org/byteveda/taskito/dashboard/*, sdks/java/src/main/java/org/byteveda/taskito/Taskito.java, sdks/java/src/main/java/org/byteveda/taskito/cli/Cli.java, sdks/java/spring/src/main/java/...
Java dashboard startup now distinguishes open, session, and legacy token modes, with authEnabled exposed through APIs, CLI options, and Spring properties.
Node server auth modes
sdks/node/src/dashboard/*, sdks/node/src/cli/commands/dashboard.ts
Node dashboard options and dispatch now support open mode by default, opt-in session authentication, and existing token gating.
Python server auth modes
sdks/python/taskito/dashboard/*, sdks/python/taskito/cli.py, sdks/python/taskito/contrib/django/*
Python serving, routing, CLI, and Django integration now accept auth_enabled and return mode-aware auth status responses.
SPA auth gating
dashboard/src/features/auth/*, dashboard/src/routes/login.tsx
The SPA renders directly without redirects when the server reports disabled authentication and redirects login visitors from disabled-auth or authenticated states.
Cross-SDK validation
sdks/*/test*, sdks/*/tests*
Tests explicitly enable session authentication where required and cover open-mode status, reads, writes, existing users, and disabled auth endpoints.
Authentication documentation
docs/content/docs/{java,node,python,shared}/**
Documentation now describes open mode, opt-in session authentication, legacy token mode, configuration flags, OAuth prerequisites, and deployment hardening.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant DashboardSPA
  participant DashboardServer
  participant AuthStatus
  participant DashboardAPI
  DashboardSPA->>DashboardServer: Request auth status
  DashboardServer->>AuthStatus: Resolve auth_enabled and setup_required
  AuthStatus-->>DashboardSPA: Return authentication status
  DashboardSPA->>DashboardAPI: Request dashboard data
  DashboardAPI-->>DashboardSPA: Serve open routes or enforce selected auth mode
Loading

Possibly related PRs

  • ByteVeda/taskito#385: Adds the server-side auth_enabled and open-mode API behavior consumed by this SPA change.
  • ByteVeda/taskito#395: Provides related Spring dashboard authentication configuration wiring.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 36.84% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title accurately summarizes the main change: dashboard authentication becomes opt-in and disabled by default.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/dashboard-auth-opt-in

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/docs/java/guides/operations/cli.mdx`:
- Around line 32-38: Update the dashboard CLI example description to state that
including --auth enables session authentication, while omitting --auth serves
the dashboard in open mode; reference the dashboard command documentation text
around the CLI example.

In `@docs/content/docs/java/guides/operations/security.mdx`:
- Around line 60-64: Update the security guide text near the session-auth
description to preserve the public-route exception: replace “every route after
that needs a valid session” with wording that states every non-public or
protected route requires a valid session after setup, while retaining the
existing admin/viewer RBAC, CSRF, and OAuth/OIDC details.

In
`@sdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/AuthHandlers.java`:
- Around line 60-62: Update the unauthenticated session handling in AuthHandlers
methods whoami and changePassword to throw
DashboardError.unauthorized("not_authenticated") instead of notFound or
badRequest, matching Policy.authorize and logoutInvalidatesSession behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68aec5d6-7f73-4ab4-b41a-0b249c4b0ce7

📥 Commits

Reviewing files that changed from the base of the PR and between 72a581c and e4e7d56.

📒 Files selected for processing (46)
  • dashboard/src/features/auth/components/auth-gate.tsx
  • dashboard/src/features/auth/types.ts
  • dashboard/src/routes/login.tsx
  • docs/content/docs/java/guides/integrations/spring.mdx
  • docs/content/docs/java/guides/operations/cli.mdx
  • docs/content/docs/java/guides/operations/dashboard.mdx
  • docs/content/docs/java/guides/operations/security.mdx
  • docs/content/docs/java/guides/operations/sso.mdx
  • docs/content/docs/node/guides/operations/cli.mdx
  • docs/content/docs/node/guides/operations/dashboard-api.mdx
  • docs/content/docs/node/guides/operations/dashboard.mdx
  • docs/content/docs/node/guides/operations/security.mdx
  • docs/content/docs/python/api-reference/cli.mdx
  • docs/content/docs/python/guides/dashboard/authentication.mdx
  • docs/content/docs/python/guides/dashboard/index.mdx
  • docs/content/docs/python/guides/dashboard/rest-api.mdx
  • docs/content/docs/python/guides/dashboard/sso.mdx
  • docs/content/docs/python/guides/integrations/django.mdx
  • docs/content/docs/python/guides/operations/security.mdx
  • docs/content/docs/shared/guides/operations/deployment.mdx
  • sdks/java/spring/src/main/java/org/byteveda/taskito/spring/TaskitoDashboardAutoConfiguration.java
  • sdks/java/spring/src/main/java/org/byteveda/taskito/spring/TaskitoProperties.java
  • sdks/java/src/main/java/org/byteveda/taskito/Taskito.java
  • sdks/java/src/main/java/org/byteveda/taskito/cli/Cli.java
  • sdks/java/src/main/java/org/byteveda/taskito/dashboard/DashboardServer.java
  • sdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/AuthHandlers.java
  • sdks/java/src/main/java/org/byteveda/taskito/dashboard/auth/TokenAuth.java
  • sdks/java/src/test/java/org/byteveda/taskito/dashboard/DashboardAuthTest.java
  • sdks/node/src/cli/commands/dashboard.ts
  • sdks/node/src/dashboard/auth/handlers.ts
  • sdks/node/src/dashboard/handlers/core.ts
  • sdks/node/src/dashboard/index.ts
  • sdks/node/src/dashboard/server.ts
  • sdks/node/test/dashboard/oauthEndpoints.test.ts
  • sdks/node/test/dashboard/openMode.test.ts
  • sdks/node/test/dashboard/server.test.ts
  • sdks/node/test/dashboard/sessionAuth.test.ts
  • sdks/node/test/integrations/express.test.ts
  • sdks/node/test/integrations/fastify.test.ts
  • sdks/python/taskito/cli.py
  • sdks/python/taskito/contrib/django/management/commands/taskito_dashboard.py
  • sdks/python/taskito/dashboard/handlers/auth.py
  • sdks/python/taskito/dashboard/routes.py
  • sdks/python/taskito/dashboard/server.py
  • sdks/python/tests/dashboard/test_auth.py
  • sdks/python/tests/dashboard/test_oauth_endpoints.py

Comment thread docs/content/docs/java/guides/operations/cli.mdx Outdated
Comment thread docs/content/docs/java/guides/operations/security.mdx
@pratyush618 pratyush618 merged commit 33c829c into master Jul 11, 2026
36 checks passed
@pratyush618 pratyush618 deleted the feat/dashboard-auth-opt-in branch July 11, 2026 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant