kwila/kiosk

Fork 1

docs(spec): add authentication and access control spec #23

Merged

addison merged 14 commits from exe-dev-bot/kiosk:spec/007-authentication-access-control-2026-02-20 into main

2026-02-20 06:08:56 -05:00

exe-dev-bot commented

2026-02-20 04:08:21 -05:00

Contributor

Adds a new Specture spec for authentication and role-based access control.

Covers:

Three-tier API access (public, kiosk/localhost, authenticated)
Admin login with password, member OTP provisioning
API key management with device labels
Feature-level permissions (calendars, settings, system, users)
Database schema for users, permissions, API keys, OTP codes, audit log
Middleware flow for request authorization

Adds a new Specture spec for authentication and role-based access control. Covers: - Three-tier API access (public, kiosk/localhost, authenticated) - Admin login with password, member OTP provisioning - API key management with device labels - Feature-level permissions (calendars, settings, system, users) - Database schema for users, permissions, API keys, OTP codes, audit log - Middleware flow for request authorization

exe-dev-bot added 1 commit

2026-02-20 04:08:21 -05:00

docs(spec): add authentication and access control spec ed2156ad84

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot force-pushed spec/007-authentication-access-control-2026-02-20 from ed2156ad84 to 003177a64b

2026-02-20 04:12:10 -05:00

Compare

exe-dev-bot added 1 commit

2026-02-20 04:14:59 -05:00

docs(spec): use singular table names per project convention 647650df3d

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:15:57 -05:00

docs(spec): rename Implementation Checklist to Task List 7f0f03218e

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:30:34 -05:00

docs(spec): add design decisions for auth transmission, login UX, migrations, and test cases ef580fcb38

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:33:37 -05:00

docs(spec): simplify upgrade behavior, remove 503 setup mode b83a3f57df

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:37:55 -05:00

docs(spec): add admin seed file provisioning for new installations caad768c8e

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:40:38 -05:00

docs(spec): clarify seed file contains bcrypt hash, not plaintext d1fb9b4a03

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:43:45 -05:00

docs(spec): renumber auth spec to 002, bump others, set author 59f3fc417b

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 04:58:00 -05:00

docs(spec): add member dashboard section with card grid layout ad729190ce

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 05:04:10 -05:00

docs(spec): expand task list with categorized TDD-ordered items f379a527b4

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 05:39:51 -05:00

docs(spec): apply security review decisions to auth spec 700cddcd63

- OTP uses URL fragment (#otp=) instead of query param
- Add CSP header requirement for XSS mitigation
- Rate limiting on auth endpoints (5/min/IP, exponential backoff)
- HTTPS marked as out of scope (accepted risk for LAN)
- Host header validation on kiosk routes (DNS rebinding protection)
- API key generation: crypto/rand, 256-bit entropy, bcrypt hashed
- Privilege escalation protection (cannot grant higher than own level)
- OTP codes hashed before storage, expired records auto-cleaned
- Separate auth_failure table for failed auth logging
- Revoke all admin keys on password reset
- Replace informal 'parent' language with precise permission terms
- Key list endpoint returns metadata only (raw key shown once)
- Clarify key revocation: own keys or write-all on users
- Admin redirects to admin UI, not member dashboard
- write-own valid for settings, not for system
- POST /api/calendars requires write-own (creator = owner)
- Ownership assignment: creator specifies owner, defaults to self
- Auth response includes api_key, username, role, permissions
- Expired API keys return 401 (not 403)
- Audit log covers successful logins and OTP claims
- Permission levels explicitly hierarchical
- OTP claim must be atomic (DB transaction)
- User deletion out of scope (deactivation only)
- Max 3 concurrent admin API keys
- GET /api/events returns all calendars

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 05:42:19 -05:00

docs(spec): replace member dashboard with page structure section dfdd0e1efd

Define all frontend pages and their permission requirements:
- / — login (unauth) or dashboard (member) or redirect to /system (admin)
- /calendars — calendar management (replaces old /admin feed management)
- /users — user management, permissions, OTP, key management
- /system — theme, update, sync, audit log (admin landing page)
- /settings — personal API keys/devices (any authenticated user)

Document old /admin migration path.
Update frontend task list with per-page tasks.

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 05:55:34 -05:00

docs(spec): rename system account to root, update permission levels 569bf49397

- System account: 'admin' → 'root' (username, role, seed file, CLI)
- Permission levels: write-own → write, write-all → admin
- Hierarchy: none < read < write < admin
- User roles: root / member (no 'admin' role)
- Dashboard card: 'System' → 'System Administration'
- Human-friendly terms: calendar admin, user admin, system admin

Co-authored-by: Shelley <shelley@exe.dev>

exe-dev-bot added 1 commit

2026-02-20 05:57:19 -05:00

docs(spec): system feature supports only none/admin permission levels 3c6c3e214e

- Remove read level from system feature (no read-only view)
- GET /api/audit requires admin on system, not read
- Update dashboard card, permission notes, and task list

Co-authored-by: Shelley <shelley@exe.dev>