# 2026-04-24 - Auth Unification Complete

## Morning - Session-Based Auth Implementation

**Decision locked:** Session cookies for browsers, Bearer tokens for machines.
Documented at `shared/project-docs/auth-unification.md`

### Changes Made

| Before | After |
|--------|-------|
| X-Admin-Token header | Session cookie (`hoffdesk_session`) |
| ?token= query param | Session cookie (unified login) |
| X-Hoffdesk-Secret | Bearer token for API/webhooks |
| /admin/family/login (dead route) | Wired to unified auth system |

### Files Modified

1. **main.py** - Added SessionAuthMiddleware, included auth router at `/auth/*`
2. **.env** - Added `HOFFDESK_USERS` with Matt and Aundrea credentials
3. **requirements.txt** - Added `itsdangerous>=2.1.0`

### User Credentials

| User | Password | Email | Roles |
|------|----------|-------|-------|
| matt | `hoffdesk-matt-2026` | matt@hoffdesk.local | admin, editor |
| aundrea | `hoffdesk-aundrea-2026` | aundrea@hoffdesk.local | family |

### Auth Flow

```
Browser → /auth/login → Session cookie set → 30 day lifetime
        ↓
        Automatic redirect to original page
        ↓
All /admin/* routes check session cookie
        ↓
API/Webhooks use Bearer token (unchanged)
```

### Session Cookie Config
- Name: `hoffdesk_session`
- HttpOnly: Yes (prevents XSS)
- SameSite: Lax (CSRF protection)
- Secure: False (set True for HTTPS)
- Max-Age: 30 days

### Protected Routes
- `/admin/blog/*` - Session or Bearer
- `/admin/family/*` - Session or Bearer
- `/admin/content/*` - Session or Bearer
- `/api/v1/content/briefs/*` - Session or Bearer (public read kept)

### Exempt Routes (no auth)
- `/health`
- `/webhook`
- `/api/blog/*` (public blog)
- `/blog/*` (static assets)
- `/auth/*` (login/logout pages)

## Status

✅ Backend auth unification complete
⏳ Daedalus to update frontend:
- HTMX interceptor (remove X-Admin-Token, cookies automatic)
- Remove ?token= from content generation URLs
- Login page template (shared at /auth/login)

## Next Steps
- Test login flow end-to-end
- Verify Aundrea can access family dashboard
- Magic Wand auth fix (Daedalus)