luca0N/lanbassador
luca0N/lanbassador
1
1
Fork 0
Code Issues 23 Pull requests Projects 1 Releases 1 Packages Wiki Activity Actions

Add account authentication support to web app #41

Merged
luca0N merged 13 commits from dev_client_auth into dev 2026-04-25 22:33:24 +00:00
Conversation 12 Commits 13 Files changed 19 +1028 -178
luca0N commented 2026-02-01 18:28:11 +00:00
Owner
Copy link

Add account authentication support to the web app. This pull request does not include account support in the backend server.

  • Add login page prototype
    • Add option to stay logged in
    • Make login page functional
  • Remove all references to password recovery ("Forgot password?")1
  • Check for server authentication support/requirement in main page2
  • Store session token/ID (to be decided) with either cookies or localStorage
  • Rename ServerCommunication class for clarity

  1. #41 (comment) ↩︎

  2. Account authentication is optional. Instance administrators can either require it, or leave it disabled. The web app should check whether the server it's configured to use requires authentication before redirecting the user to the relevant page. ↩︎

Add account authentication support to the web app. This pull request does not include account support in the backend server. - [x] Add login page prototype - [x] Add option to stay logged in - [x] Make login page functional - [x] Remove all references to password recovery ("Forgot password?")[^2] - [x] Check for server authentication support/requirement in main page[^1] - [x] Store session token/ID (to be decided) with either cookies or localStorage - [x] Rename `ServerCommunication` class for clarity [^1]: Account authentication is optional. Instance administrators can either require it, or leave it disabled. The web app should check whether the server it's configured to use requires authentication before redirecting the user to the relevant page. [^2]: https://git.luca0n.com/luca0N/lanbassador/pulls/41#issuecomment-1527
luca0N self-assigned this 2026-02-01 18:28:11 +00:00 
In the web app, create a new page for authentication, and add a new
route for it.  The page included is only a prototype which does not yet
include the authentication code.
luca0N commented 2026-02-01 18:30:04 +00:00
Author
Owner
Copy link

Note that support for accounts is not yet implemented in the server. This will be worked on in another pull request. I am still deciding how authentication will be implemented (either a simple session token with cookies/bearer authorization, or JWT).

Note that support for accounts is not yet implemented in the server. This will be worked on in another pull request. I am still deciding how authentication will be implemented (either a simple session token with cookies/bearer authorization, or JWT).
luca0N commented 2026-02-04 23:51:50 +00:00
Author
Owner
Copy link

I must decide which DBMS to use. Seems like there is a Go library that provides an interface to multiple RDBMSes, but I haven't dug too deep into it yet. If such library were to exist, using it would make the project much more flexible, and administrators could pick and choose their DBMS of choice. One downside is that it would likely make testing more complex, as the need for testing multiple DBMSes would surge.

2026-03-05 update: see #62 (comment)

I must decide which DBMS to use. Seems like there is a Go library that provides an interface to multiple RDBMSes, but I haven't dug too deep into it yet. If such library were to exist, using it would make the project much more flexible, and administrators could pick and choose their DBMS of choice. One downside is that it would likely make testing more complex, as the need for testing multiple DBMSes would surge. 2026-03-05 update: see https://git.luca0n.com/luca0N/lanbassador/pulls/62#issuecomment-1435
luca0N force-pushed dev_client_auth from 11293068ef to 974d32400d 2026-02-25 23:30:16 +00:00 Compare
luca0N commented 2026-02-25 23:35:58 +00:00
Author
Owner
Copy link

I had to rebase this branch with dev, as it was missing the required @angular/localize package.

Doing so resulted in the commit I made losing its GPG signature (as expected), but the new commit was not signed by this Forgejo instance.

I will force-push to this branch with a signed commit ASAP (I still have the original signed one).

I had to rebase this branch with `dev`, as it was missing the required `@angular/localize` package. Doing so resulted in the commit I made losing its GPG signature (as expected), but the new commit was not signed by this Forgejo instance. I will force-push to this branch with a signed commit ASAP (I still have the original signed one).
luca0N force-pushed dev_client_auth from 974d32400d to 112f06f035 2026-03-01 18:39:09 +00:00 Compare
luca0N commented 2026-03-01 18:45:26 +00:00
Author
Owner
Copy link

Latest force-push rebased the branch with the dev branch, resigning the single commit in this pull request.

Latest force-push rebased the branch with the `dev` branch, resigning the single commit in this pull request.
Add new option in the login form in the form of a checkbox, that allows
users to stay logged in.  This option will instruct the client to mark a
session as persistent so that it doesn't expire once the user agent
closes.
luca0N commented 2026-04-05 23:53:17 +00:00
Author
Owner
Copy link

I had to introduce CORS headers to non-preflight requests in order to make it so Firefox would accept the fetch request from a different origin (77ec56f838).

I had to introduce CORS headers to non-preflight requests in order to make it so Firefox would accept the `fetch` request from a different origin (77ec56f838).
Create a new class for managing dynamic instance configuration retrieval
at runtime.  This new class makes it easier to read instance-specific
configuration without having to make the request in every class that
needs it.
luca0N commented 2026-04-08 23:02:49 +00:00
Author
Owner
Copy link

As stated in the message of commit c5e0ec41f6, I have created a new class for dynamic instance configuration retrieval. I will make use of this in (hopefully) the next commit, which will be used by the login page to send authentication requests.

As stated in the message of commit c5e0ec41f6, I have created a new class for dynamic instance configuration retrieval. I will make use of this in (hopefully) the next commit, which will be used by the login page to send authentication requests.
Create a new class to communicate with the server HTTP API (not to be
confused with the WebSocket API), and use it in the login page to
authenticate with user-provided credentials.
luca0N commented 2026-04-09 22:21:43 +00:00
Author
Owner
Copy link

With the introduction of the ServerComms source file (and class) in a078d49086, the ServerCommunication class should be renamed so that it's clear to everyone which one is meant for the WebSocket API.

With the introduction of the `ServerComms` source file (and class) in a078d49086, the `ServerCommunication` class should be renamed so that it's clear to everyone which one is meant for the WebSocket API.
When authentication is completed during the login phase, store the
session token in the browser's cookies to remember the session.

This commit does not yet introduce basic hardening strategies for
cookies (e.g., `SameSite', `Secure', etc.)
If the user attempts to visit the login page while a session is already
present, automatically redirect the user to the web app main page.
In the web app sources, move the toolbar HTML code to a new component
called `lanbassador-toolbar', create account controls there for
redirecting to the login page and logging out, and update `ServerComms'
for sending DELETE requests to destroy valid sessions.
luca0N reviewed 2026-04-15 23:16:32 +00:00
luca0N left a comment
Author
Owner
Copy link

Some minor notes that need attention.

Some minor notes that need attention.
client/src/app/ServerComms.ts Outdated
@ -0,0 +18,4 @@
import { ConfigManager } from "./ConfigManager";
export class ServerComms {
luca0N commented 2026-04-15 23:16:17 +00:00
Author
Owner
Copy link

This class should probably use the @Injectable annotation.

This class should probably use the `@Injectable` annotation.
client/src/app/services/AccountSession.ts Outdated
@ -0,0 +23,4 @@
})
export class AccountSession {
/**
* Saves the given session token to the browser storage.
luca0N commented 2026-04-15 23:15:24 +00:00
Author
Owner
Copy link

The @param comment here was erroneously removed.

The `@param` comment here was erroneously removed.
luca0N marked this conversation as resolved
client/src/app/services/AccountSession.ts Outdated
@ -0,0 +42,4 @@
public loadSessionToken(): string | undefined {
const cookies = document.cookie.split(";");
for (const cookie of cookies) {
// const kv = cookie.trim().split("=");
luca0N commented 2026-04-15 23:15:39 +00:00
Author
Owner
Copy link

This is a leftover comment which should be removed.

This is a leftover comment which should be removed.
luca0N marked this conversation as resolved
luca0N force-pushed dev_client_auth from 8faee90b56 to bcb937f7d0 2026-04-18 22:27:52 +00:00 Compare
luca0N commented 2026-04-18 22:30:07 +00:00
Author
Owner
Copy link

Latest force-push some of the previous comments 1 2.

Latest force-push some of the previous comments [^1] [^2]. [^1]: https://git.luca0n.com/luca0N/lanbassador/pulls/41#issuecomment-1519 [^2]: https://git.luca0n.com/luca0N/lanbassador/pulls/41#issuecomment-1520
In the login form, allow users to stay logged in by checking the
`Remember this device' checkbox, which, instead of creating a cookie
with the session token that disappears once the session ends, creates a
cookie that lasts up to 6 months.  This time is hardcoded and, at this
time, cannot be changed.
Rename the `ServerConnection' source file to `LiveConnection' for
clarity.  This source file deals with live connections, whereas the
`ServerComms' file deals with the HTTP API.
luca0N commented 2026-04-21 23:29:28 +00:00
Author
Owner
Copy link

At this time, the server does not have any endpoints for recovering lost passwords. Even if it had one, SMTP support would have to be implemented, which is something that is not on the roadmap, at this time. As such, all references to password recovery from the UI will be removed.

Therefore, administrators must have the ability to change the passwords of user accounts. For security reasons, users should be prompted to change their passwords immediately after logging in for the first time (after an administrator has changed their account password).

At this time, the server does not have any endpoints for recovering lost passwords. Even if it had one, SMTP support would have to be implemented, which is something that is not on the roadmap, at this time. As such, all references to password recovery from the UI will be removed. Therefore, administrators must have the ability to change the passwords of user accounts. For security reasons, users should be prompted to change their passwords immediately after logging in for the first time (after an administrator has changed their account password).
luca0N force-pushed dev_client_auth from ce66450012 to cba4e05309 2026-04-22 23:50:27 +00:00 Compare
luca0N commented 2026-04-22 23:50:58 +00:00
Author
Owner
Copy link

Latest force-push removes the unused Forgot password? control from the login page.

Latest force-push removes the unused _Forgot password?_ control from the login page.
When a user visits the login page, check whether account support is
enabled in the server.  If account support is disabled, an error alert
dialog is shown informing the user about the error, and then the user is
redirected to the main page.

This commit also removes the constructor for `ConfigManager', as
instance configuration retrieval is now done before the app starts,
assuring that the required configuration is only fetched once, and that
it will be ready by the time some code needs it (in this case, the login
page, as a server request is made as soon as that page starts).
In the web app toolbar, check whether account support is enabled on the
server.  If it's not, then the button that navigates the user to the
login page is hidden.
luca0N changed title from WIP: Add account authentication support to web app to Add account authentication support to web app 2026-04-22 23:51:25 +00:00
luca0N reviewed 2026-04-23 23:16:14 +00:00
luca0N left a comment
Author
Owner
Copy link

There are a few minor things missing, and i18n changes are yet to be committed.

There are a few minor things missing, and i18n changes are yet to be committed.
client/src/app/ConfigManager.ts
@ -0,0 +41,4 @@
onLoaded(ConfigManager.instanceConfig);
});
}
luca0N commented 2026-04-23 23:12:17 +00:00
Author
Owner
Copy link

Missing documentation here.

Missing documentation here.
client/src/app/ServerComms.ts
@ -0,0 +43,4 @@
private getEndpointUrl(endpoint: string): string {
if (this.serverHost == undefined || this.serverPort == undefined)
throw new Error("The instance settings have not yet been loaded.");
luca0N commented 2026-04-23 23:13:14 +00:00
Author
Owner
Copy link

Unreachable code: the instance configuration is loaded during app startup, so it will always be available.

Unreachable code: the instance configuration is loaded during app startup, so it will always be available.
client/src/app/login.html
luca0N commented 2026-04-23 23:15:13 +00:00
Author
Owner
Copy link

This whole file is missing the i18n attribute.

This whole file is missing the `i18n` attribute.
client/src/app/login.ts Outdated
@ -0,0 +94,4 @@
const dialogRef = this.dialog.open(DialogError, {
data: {
title: "Accounts support is disabled",
message: "This Lanbassador instance does not have account support enabled. Contact the instance administrator to solve this problem if this is unexpected.",
luca0N commented 2026-04-23 23:15:31 +00:00
Author
Owner
Copy link

Missing i18n.

Missing i18n.
luca0N changed title from Add account authentication support to web app to WIP: Add account authentication support to web app 2026-04-23 23:16:19 +00:00 
Perform some minor code refactoring on ServerComms and a source file
that uses it to remove redundant code.
Update i18n messages with strings added during the development of
account support in the web app.
luca0N changed title from WIP: Add account authentication support to web app to Add account authentication support to web app 2026-04-25 22:33:17 +00:00
luca0N deleted branch dev_client_auth 2026-04-25 22:33:24 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
Compat/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Compat/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
luca0N
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
#26 Add authentication support
luca0N/lanbassador
Depends on
#62 Add account support to the server
luca0N/lanbassador
Reference
luca0N/lanbassador!41
No description provided.