lhumina_code/hero_demo
26
0
Fork 0
Code Issues 43 Pull requests Projects Releases 2 Packages Wiki Activity Actions

[auth] Finalize prod auth path on hero_proxy and remove demo nginx basic-auth helper #37

New issue
Open
opened 2026-04-28 12:21:33 +00:00 by mik-tf · 0 comments
mik-tf commented 2026-04-28 12:21:33 +00:00
Owner
Copy link

Summary

Hero OS currently ships two parallel auth paths in hero_skills (after PR #129 + PR #130):

This split was deliberate so the demo (no Google OAuth client, no real users) could ship without OAuth setup. For prod we want exactly one path — the canonical hero_proxy one — and the demo nginx helper to go away.

Why this matters

  • Two auth paths = two failure modes to monitor + two attack surfaces.
  • The nginx basic-auth gate sits outside hero_proxy, so hero_proxy features (per-domain auth modes, X-Hero-Context injection, claims forwarding) are bypassed when basic-auth is in front.
  • Operators currently have to choose; fewer choices = fewer ways to mis-deploy.

What needs to happen

  1. Validate proxy_auth_setup on a real TF Grid VM with TLS + DNS + a real OAuth provider (Google, or bearer for first iteration).
    • Confirm hero_proxy domain add ... --auth-mode oauth actually serves the gate at https://<hostname>/.
    • Confirm X-Hero-Context + X-Hero-Claims are injected on per-service requests.
    • Confirm the optional mode behaviour matches what the demo wants (guest-first, login optional).
  2. Document the canonical setup in DEPLOYMENT_NU_HERO_OS.md §12 — currently §12.2 is a sketch; needs the same step-by-step rigor as §12.1.
  3. Update the demo deploy (herodemo.gent01.grid.tf) to use proxy_auth_setup --mode optional (or bearer) — kill the nginx process there.
  4. Remove basic_auth_setup + tools/modules/installers/auth.nu from hero_skills once nothing uses it. Strip §12.1 from the runbook. Update the §0.1 Quick path.

Acceptance criteria

  • proxy_auth_setup validated end-to-end on a TF Grid VM (TLS + auth gate working)
  • Runbook §12 rewritten with the canonical step-by-step (mirrors §12.1's level of detail)
  • herodemo migrated off nginx onto hero_proxy
  • basic_auth_setup removed from hero_skills (PR + commit)
  • Runbook §0.1 "What's still manual" entry for §12 collapsed to a single canonical option

Related

Signed-off-by: mik-tf

Originally filed as home#186 on 2026-04-25 by mik-tf — moved to hero_demo as part of consolidating issue tracking.

## Summary Hero OS currently ships **two parallel auth paths** in `hero_skills` (after [PR #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) + [PR #130](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/130)): - `basic_auth_setup` — nginx + htpasswd (demo gate, [tools/modules/installers/auth.nu](https://forge.ourworld.tf/lhumina_code/hero_skills/src/branch/development/tools/modules/installers/auth.nu)) - `proxy_auth_setup` — `hero_proxy --auth-mode oauth/bearer/optional` (canonical, [tools/modules/installers/proxy_auth.nu](https://forge.ourworld.tf/lhumina_code/hero_skills/src/branch/development/tools/modules/installers/proxy_auth.nu)) This split was deliberate so the demo (no Google OAuth client, no real users) could ship without OAuth setup. **For prod we want exactly one path — the canonical `hero_proxy` one — and the demo nginx helper to go away.** ## Why this matters - Two auth paths = two failure modes to monitor + two attack surfaces. - The nginx basic-auth gate sits **outside** `hero_proxy`, so `hero_proxy` features (per-domain auth modes, `X-Hero-Context` injection, claims forwarding) are bypassed when basic-auth is in front. - Operators currently have to choose; fewer choices = fewer ways to mis-deploy. ## What needs to happen 1. **Validate `proxy_auth_setup` on a real TF Grid VM** with TLS + DNS + a real OAuth provider (Google, or bearer for first iteration). - Confirm `hero_proxy domain add ... --auth-mode oauth` actually serves the gate at `https://<hostname>/`. - Confirm `X-Hero-Context` + `X-Hero-Claims` are injected on per-service requests. - Confirm the `optional` mode behaviour matches what the demo wants (guest-first, login optional). 2. **Document the canonical setup in DEPLOYMENT_NU_HERO_OS.md §12** — currently §12.2 is a sketch; needs the same step-by-step rigor as §12.1. 3. **Update the demo deploy** (herodemo.gent01.grid.tf) to use `proxy_auth_setup --mode optional` (or `bearer`) — kill the nginx process there. 4. **Remove `basic_auth_setup` + `tools/modules/installers/auth.nu` from hero_skills** once nothing uses it. Strip §12.1 from the runbook. Update the §0.1 Quick path. ## Acceptance criteria - [ ] `proxy_auth_setup` validated end-to-end on a TF Grid VM (TLS + auth gate working) - [ ] Runbook §12 rewritten with the canonical step-by-step (mirrors §12.1's level of detail) - [ ] herodemo migrated off nginx onto `hero_proxy` - [ ] `basic_auth_setup` removed from `hero_skills` (PR + commit) - [ ] Runbook §0.1 "What's still manual" entry for §12 collapsed to a single canonical option ## Related - Master Phase 2 tracker: https://forge.ourworld.tf/lhumina_code/home/issues/185 - Auth deploy gap (basic mode): https://forge.ourworld.tf/lhumina_code/home/issues/182 - PRs that introduced both helpers: hero_skills #129 (basic) + hero_skills #130 (canonical) Signed-off-by: mik-tf --- *Originally filed as [home#186](https://forge.ourworld.tf/lhumina_code/home/issues/186) on 2026-04-25 by mik-tf — moved to hero_demo as part of consolidating issue tracking.*
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
development_mik2
v0.9.3-dev
v0.9.0-dev
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_demo#37
No description provided.