feat: web UI server auth foundation (/api/* login, logout, me) #14
Reference in New Issue
Block a user
Delete Branch "dev"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
/api/*native JSON surface used by the web UI and future Flutter client, separate from the existing/rest/*Subsonic compatibility layer.minstrel_sessioncookie (HttpOnly, SameSite=Strict, Max-Age 30d) orAuthorization: Bearer …header — native clients can use either.POST /api/auth/login,POST /api/auth/logout,GET /api/me.RequireUsermiddleware protects logout + me; login stays public.{"error":{"code","message"}}envelope.Scope stops at auth +
/api/me— library read endpoints and the SvelteKit frontend ship in follow-up PRs.What's in the branch
12 commits, 21 files touched (see
git log origin/main..HEADfor the full list):0004_sessions.up.sql+ sqlc queries (InsertSession,GetSessionByTokenHash,TouchSessionLastSeen,DeleteSession,DeleteSessionByTokenHash)internal/auth/session.go—MintSessionToken,HashSessionToken,VerifyPassword,RequireUsermiddlewareinternal/api/package —api.Mount, handlers for login/logout/me, error envelope, typesinternal/server/server.go— root router now callsapi.Mountalongside existing/api/adminand/rest/*routesTest plan
go test ./internal/api/... ./internal/auth/...)POST /api/auth/login→ 200 + Set-Cookie (HttpOnly, SameSite=Strict, Max-Age=2592000) + bearer token in bodyGET /api/mevia cookie → 200GET /api/mevia bearer → 200GET /api/meunauthenticated → 401{"error":{"code":"invalid_credentials"…}}POST /api/auth/logout→ 204, Set-Cookie Max-Age=0git pull --ff-only origin mainlocallyKnown non-blocking follow-ups (tracked for later PRs)
RequireUserissues 3 sequential DB calls (session lookup + user lookup + touch) — consolidate via JOIN once traffic mattersRequireUsersilently swallows orphan-session cleanup errors — addslog.WarnSecurecookie flag derives fromr.TLS != nil, which is wrong behind a TLS-terminating reverse proxy — honorX-Forwarded-Protoor add aMINSTREL_COOKIE_SECUREconfig/api/auth/loginme_test.gohas a_ = dbq.User{}preserve-line that can be removed by dropping the unuseddbqimportinternal/apitests TRUNCATEusers, which can collide withinternal/authbootstrap tests under-p >1. Run per-package or with-p 1until we assign each package its own schema/DB.Out of scope (per plan)
/api/albums,/api/artists, etc.) — next plan🤖 Generated with Claude Code