2026-04-24 - Auth Unification Complete
Morning - Session-Based Auth Implementation
Decision locked: Session cookies for browsers, Bearer tokens for machines.
Documented at shared/project-docs/auth-unification.md
Changes Made
| Before | After |
|---|---|
| X-Admin-Token header | Session cookie (hoffdesk_session) |
| ?token= query param | Session cookie (unified login) |
| X-Hoffdesk-Secret | Bearer token for API/webhooks |
| /admin/family/login (dead route) | Wired to unified auth system |
Files Modified
- main.py - Added SessionAuthMiddleware, included auth router at
/auth/* - .env - Added
HOFFDESK_USERSwith Matt and Aundrea credentials - requirements.txt - Added
itsdangerous>=2.1.0
User Credentials
| User | Password | Roles | |
|---|---|---|---|
| matt | hoffdesk-matt-2026 |
matt@hoffdesk.local | admin, editor |
| aundrea | hoffdesk-aundrea-2026 |
aundrea@hoffdesk.local | family |
Auth Flow
Browser → /auth/login → Session cookie set → 30 day lifetime
↓
Automatic redirect to original page
↓
All /admin/* routes check session cookie
↓
API/Webhooks use Bearer token (unchanged)
Session Cookie Config
- Name:
hoffdesk_session - HttpOnly: Yes (prevents XSS)
- SameSite: Lax (CSRF protection)
- Secure: False (set True for HTTPS)
- Max-Age: 30 days
Protected Routes
/admin/blog/*- Session or Bearer/admin/family/*- Session or Bearer/admin/content/*- Session or Bearer/api/v1/content/briefs/*- Session or Bearer (public read kept)
Exempt Routes (no auth)
/health/webhook/api/blog/*(public blog)/blog/*(static assets)/auth/*(login/logout pages)
Status
✅ Backend auth unification complete
⏳ Daedalus to update frontend:
- HTMX interceptor (remove X-Admin-Token, cookies automatic)
- Remove ?token= from content generation URLs
- Login page template (shared at /auth/login)
Next Steps
- Test login flow end-to-end
- Verify Aundrea can access family dashboard
- Magic Wand auth fix (Daedalus)