feat(go-services): tracker-go — auth gate (itsdangerous + internal-trust)
Replicates main.py's AuthMiddleware so /go/ can be exposed safely:
- internal-trust: private source IP AND no X-Forwarded-For => skip auth
(loopback/compose callers; nginx adds XFF to all internet traffic).
- session cookie: byte-compatible itsdangerous URLSafeTimedSerializer verify
(HMAC-SHA1, django-concat key derivation sha1("itsdangerous"+"signer"+key),
Unix-epoch timestamp, urlsafe-b64 no pad, optional zlib payload), keyed on the
same SECRET_KEY. 30-day max-age. Public allowlist (/login,/logout,login assets,
/icons/,/health); 302->/login for html, 401 JSON otherwise.
Validated on the server: internal-trust loopback 200; external no-cookie 401;
html 302; valid cookie 200; tampered 401; /health public 200; and the SAME
Python-issued cookie authenticates BOTH services (cross-compat proof).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Erik
parent
c4e8190656
commit
bf15d4a2f7
3 changed files with 180 additions and 1 deletions
|
|
@ -30,6 +30,9 @@ services:
|
|||
# Read-only use of the same dereth TimescaleDB the Python tracker writes.
|
||||
DATABASE_URL: "postgresql://postgres:${POSTGRES_PASSWORD}@db:5432/dereth"
|
||||
INVENTORY_SERVICE_URL: "http://inventory-service:8000"
|
||||
# Same signing key as the Python tracker so the same login cookie verifies
|
||||
# on both during the parallel run.
|
||||
SECRET_KEY: "${SECRET_KEY}"
|
||||
LOG_LEVEL: "INFO"
|
||||
depends_on:
|
||||
- db
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue