Add authentication/authorization with username/password, OIDC/Auth0, and LDAP options #2

Merged

Copilot merged 7 commits from copilot/add-authentication-options into main

2025-10-28 07:27:32 -05:00

Copilot commented

2025-10-27 12:07:14 -05:00

(Migrated from github.com)

Implements multi-method authentication system with admin panel for user, API key, and task access management. Authentication disabled by default for backward compatibility.

Authentication Methods

Local: Username/password with bcrypt hashing (10 rounds)
OIDC/OAuth2: Auth0, Okta, Azure AD via Passport.js
LDAP: Active Directory integration
API Keys: Programmatic access with optional expiration

Backend Changes

JWT token authentication with configurable expiry
Passport.js strategies for all auth methods
Role-based middleware (authenticate, requireAdmin, optionalAuth)
Admin API endpoints for user/key CRUD
Task ownership tracking (userId field)
In-memory storage (ready for DB swap)

// Protect routes conditionally
app.get('/api/tasks', optionalAuth, (req, res) => {
  let tasks = allTasks;
  if (authEnabled && req.user) {
    tasks = tasks.filter(t => !t.userId || t.userId === req.user.id || req.user.role === 'admin');
  }
  res.json(tasks);
});

Frontend Changes

AuthContext for global auth state
Login/registration UI with method selection
Admin panel: user management, API key generation
Authenticated header with user info and logout
Token storage in localStorage with axios interceptors

Configuration

# .env
AUTH_ENABLED=false  # Set true to enable
JWT_SECRET=<strong-random-value>

# Optional OIDC
OIDC_ENABLED=true
OIDC_CLIENT_ID=...
OIDC_AUTHORIZATION_URL=...

# Optional LDAP
LDAP_ENABLED=true
LDAP_URL=ldap://...
LDAP_SEARCH_BASE=ou=users,dc=example,dc=com

Security Notes

First registered user becomes admin
Tasks scoped to creators (admins see all)
JWT secrets must be changed in production
Rate limiting recommended via reverse proxy
CORS configurable via CORS_ORIGIN env var

Screenshots

Login Page:

Admin Panel - User Management:

Admin Panel - API Keys:

Dependencies Added

Backend: passport, passport-local, passport-oauth2, passport-ldapauth, bcryptjs, jsonwebtoken, cookie-parser, dotenv

Frontend: react-router-dom

Original prompt

Add authentication/authorization with username/password, OIDC/Auth0, and LDAP options. This should be behind an admin page to manage users, API keys, and Access to saved flows.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Implements multi-method authentication system with admin panel for user, API key, and task access management. Authentication disabled by default for backward compatibility. ## Authentication Methods - **Local**: Username/password with bcrypt hashing (10 rounds) - **OIDC/OAuth2**: Auth0, Okta, Azure AD via Passport.js - **LDAP**: Active Directory integration - **API Keys**: Programmatic access with optional expiration ## Backend Changes - JWT token authentication with configurable expiry - Passport.js strategies for all auth methods - Role-based middleware (`authenticate`, `requireAdmin`, `optionalAuth`) - Admin API endpoints for user/key CRUD - Task ownership tracking (`userId` field) - In-memory storage (ready for DB swap) ```javascript // Protect routes conditionally app.get('/api/tasks', optionalAuth, (req, res) => { let tasks = allTasks; if (authEnabled && req.user) { tasks = tasks.filter(t => !t.userId || t.userId === req.user.id || req.user.role === 'admin'); } res.json(tasks); }); ``` ## Frontend Changes - `AuthContext` for global auth state - Login/registration UI with method selection - Admin panel: user management, API key generation - Authenticated header with user info and logout - Token storage in localStorage with axios interceptors ## Configuration ```bash # .env AUTH_ENABLED=false # Set true to enable JWT_SECRET=<strong-random-value> # Optional OIDC OIDC_ENABLED=true OIDC_CLIENT_ID=... OIDC_AUTHORIZATION_URL=... # Optional LDAP LDAP_ENABLED=true LDAP_URL=ldap://... LDAP_SEARCH_BASE=ou=users,dc=example,dc=com ``` ## Security Notes - First registered user becomes admin - Tasks scoped to creators (admins see all) - JWT secrets must be changed in production - Rate limiting recommended via reverse proxy - CORS configurable via `CORS_ORIGIN` env var ## Screenshots **Login Page:** ![Login](https://github.com/user-attachments/assets/06d9db9b-1d6e-484c-b968-af91421f7fcb) **Admin Panel - User Management:** ![User Management](https://github.com/user-attachments/assets/cdba2116-b450-4bb1-b27a-909cc7d51fe1) **Admin Panel - API Keys:** ![API Keys](https://github.com/user-attachments/assets/136d22f1-0afe-4011-a401-13bfc6900e13) ## Dependencies Added Backend: `passport`, `passport-local`, `passport-oauth2`, `passport-ldapauth`, `bcryptjs`, `jsonwebtoken`, `cookie-parser`, `dotenv` Frontend: `react-router-dom`  <details> <summary>Original prompt</summary> > Add authentication/authorization with username/password, OIDC/Auth0, and LDAP options. This should be behind an admin page to manage users, API keys, and Access to saved flows. </details>  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/SluberskiHomeLab/orchestrateui/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

SluberskiHomeLab (Migrated from github.com) reviewed

2025-10-27 12:07:14 -05:00