bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity
91 Commits 19 Branches 0 Tags
9e311347855aca7da8ca1d4575cce7724028b826
Commit Graph

21 Commits

Author SHA1 Message Date
Mondo Diaz
1c31fe79cd Add OIDC/SSO authentication support 
Backend:
- Add OIDCConfig, OIDCConfigService, OIDCService classes for OIDC flow
- Add OIDC endpoints: status, config (get/update), login, callback
- Support authorization code flow with PKCE-compatible state parameter
- JWKS-based ID token validation with RS256 support
- Auto-provisioning of users from OIDC claims
- Admin group mapping for automatic admin role assignment

Frontend:
- Add SSO login button on login page (conditionally shown when enabled)
- Add OIDC admin configuration page (/admin/oidc)
- Add SSO Configuration link in admin menu
- Add OIDC types and API functions

Security:
- CSRF protection via state parameter in secure cookie
- Secure cookie settings (httponly, secure, samesite=lax)
- Client secret stored encrypted in database
- Token validation using provider's JWKS endpoint
 2026-01-09 15:05:04 -06:00
Mondo Diaz
6b9f63a30e Add frontend access control enhancements and JWT support 
- Hide New Project button for unauthenticated users, show login link
- Add lock icon for private projects on home page
- Show access level badges on project cards (Owner, Admin, Write, Read)
- Add permission expiration date field to AccessManagement component
- Add query timeout configuration for database (ORCHARD_DATABASE_QUERY_TIMEOUT)
- Add JWT token validation support for external identity providers
  - Configurable via ORCHARD_JWT_* environment variables
  - Supports HS256 with secret or RS256 with JWKS
  - Auto-provisions users from JWT claims
 2026-01-08 18:52:57 -06:00
Mondo Diaz
0bef44a292 Add access permission management API 
Backend:
- Add AccessPermission schemas (Create, Update, Response)
- Add ProjectWithAccessResponse schema
- Add permission endpoints:
  - GET /project/{name}/permissions - list permissions (admin only)
  - POST /project/{name}/permissions - grant access (admin only)
  - PUT /project/{name}/permissions/{username} - update access
  - DELETE /project/{name}/permissions/{username} - revoke access
  - GET /project/{name}/my-access - get current user's access level

Frontend:
- Add AccessLevel, AccessPermission types
- Add API functions for access management:
  - getMyProjectAccess()
  - listProjectPermissions()
  - grantProjectAccess()
  - updateProjectAccess()
  - revokeProjectAccess()
 2026-01-08 18:26:22 -06:00
Mondo Diaz
6aa199b80b Add rate limiting to login endpoint 
Security:
- Add slowapi dependency for rate limiting
- Create rate_limit.py module with configurable limits
- Apply 5 requests/minute limit to login endpoint
- Make rate limit configurable via ORCHARD_LOGIN_RATE_LIMIT env var

Testing:
- Set high rate limit (1000/min) in docker-compose.local.yml for tests
- All 265 tests pass
 2026-01-08 18:18:29 -06:00
Mondo Diaz
d61c7a71fb Add project-level authorization checks 
Authorization:
- Add AuthorizationService for checking project access
- Implement get_user_access_level() with admin, owner, and permission checks
- Add check_project_access() helper for route handlers
- Add grant_access() and revoke_access() methods
- Add ProjectAccessChecker dependency class

Routes:
- Add authorization checks to project CRUD (read, update, delete)
- Add authorization checks to package create
- Add authorization checks to upload endpoint (requires write)
- Add authorization checks to download endpoint (requires read)
- Add authorization checks to tag create

Tests:
- Fix pagination flakiness in test_list_projects
- Fix pagination flakiness in test_projects_search
- Add API key authentication to concurrent upload test
 2026-01-08 16:20:42 -06:00
Mondo Diaz
b1c17e8ab7 Add security hardening and additional auth tests 
Security improvements:
- Add password strength validation (min 8 characters)
- Invalidate all sessions on password change/reset
- Add timing-safe user lookup to prevent enumeration attacks
- Fix SQLAlchemy boolean comparisons (== True -> is_(True))
- Change default admin password to 'changeme123' (meets min length)

New tests (7 additional):
- Inactive user login attempt blocked
- Short password rejected on create/change/reset
- Duplicate username rejected (409)
- Non-owner API key deletion blocked (403)
- Sessions invalidated on password change
 2026-01-08 15:37:53 -06:00
Mondo Diaz
2a68708a79 Add user authentication system with API key management (#50) 
- Add User, Session, AuthSettings models with bcrypt password hashing
- Add auth endpoints: login, logout, change-password, me
- Add API key CRUD: create (orch_xxx format), list, revoke
- Add admin user management: list, create, update, reset-password
- Create default admin user on startup (admin/admin)
- Add frontend: Login page, API Keys page, Admin Users page
- Add AuthContext for session state management
- Add user menu to Layout header with login/logout/settings
- Add 15 integration tests for auth system
- Add migration 006_auth_tables.sql
 2026-01-08 15:01:37 -06:00
Mondo Diaz
35fda65d38 Add download verification with SHA256 checksum support (#26, #27, #28, #29) 2026-01-07 13:36:46 -06:00
Mondo Diaz
2f1891cf01 Metadata database tracks all uploads with project, package, tag, and timestamp queryable via API 2026-01-07 12:31:44 -06:00
Mondo Diaz
7e68baed08 Add ref_count management for deletions with atomic operations and error handling 2026-01-06 13:44:23 -06:00
Mondo Diaz
2df97ae94a Add presigned URL support for direct S3 downloads (#48) 2025-12-15 16:06:51 -06:00
Mondo Diaz
3fd2747ae4 Store SHA256 checksums with artifacts and add multiple hash support 2025-12-15 14:47:30 -06:00
Mondo Diaz
096887d4da Add global search and filtering enhancements 2025-12-12 12:12:46 -06:00
Mondo Diaz
7d80bef39a Fix: restore enhanced tags API endpoints 2025-12-12 10:57:27 -06:00
Mondo Diaz
5d0122fc36 Revert "Add API endpoints for listing tagged versions and artifacts" 
This reverts commit 54e33e67ce.
 2025-12-12 10:33:21 -06:00
Mondo Diaz
2b5bc60a69 Add API endpoints for listing tagged versions and artifacts 2025-12-12 10:23:40 -06:00
Mondo Diaz
dea03c4a12 Implement Backend API to List Packages within a Project 2025-12-11 18:47:46 -06:00
Mondo Diaz
c119ab4a04 Implement backend upload/download API enhancements 2025-12-11 18:05:08 -06:00
Mondo Diaz
b896ad1fad Add pagination and search to projects API 2025-12-11 15:03:41 -06:00
Mondo Diaz
ff7df9eb3f Rename terminology to industry standard terms 
- Grove → Project
- Tree → Package
- Fruit → Artifact
- Graft → Tag
- Cultivate → Upload
- Harvest → Download

Updated across:
- Backend models, schemas, and routes
- Frontend types, API client, and components
- README documentation
- API endpoints now use /project/:project/packages pattern
 2025-12-08 10:38:44 -06:00
Mondo Diaz
2261bfc830 Rewrite from Go + vanilla JS to Python (FastAPI) + React (TypeScript) 
- Backend: Python 3.12 with FastAPI, SQLAlchemy, boto3
- Frontend: React 18 with TypeScript, Vite build tooling
- Updated Dockerfile for multi-stage Node + Python build
- Updated CI pipeline for Python backend
- Removed old Go code (cmd/, internal/, go.mod, go.sum)
- Updated README with new tech stack documentation
 2025-12-05 17:16:43 -06:00