lhumina_code/home
23
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

[auth] Finalize prod auth path on hero_proxy and remove demo nginx basic-auth helper #186

New issue
Closed
opened 2026-04-25 20:35:48 +00:00 by mik-tf · 1 comment
mik-tf commented 2026-04-25 20:35:48 +00:00
Owner
Copy link

Summary

Hero OS currently ships two parallel auth paths in hero_skills (after PR #129 + PR #130):

This split was deliberate so the demo (no Google OAuth client, no real users) could ship without OAuth setup. For prod we want exactly one path — the canonical hero_proxy one — and the demo nginx helper to go away.

Why this matters

  • Two auth paths = two failure modes to monitor + two attack surfaces.
  • The nginx basic-auth gate sits outside hero_proxy, so hero_proxy features (per-domain auth modes, X-Hero-Context injection, claims forwarding) are bypassed when basic-auth is in front.
  • Operators currently have to choose; fewer choices = fewer ways to mis-deploy.

What needs to happen

  1. Validate proxy_auth_setup on a real TF Grid VM with TLS + DNS + a real OAuth provider (Google, or bearer for first iteration).
    • Confirm hero_proxy domain add ... --auth-mode oauth actually serves the gate at https://<hostname>/.
    • Confirm X-Hero-Context + X-Hero-Claims are injected on per-service requests.
    • Confirm the optional mode behaviour matches what the demo wants (guest-first, login optional).
  2. Document the canonical setup in DEPLOYMENT_NU_HERO_OS.md §12 — currently §12.2 is a sketch; needs the same step-by-step rigor as §12.1.
  3. Update the demo deploy (herodemo.gent01.grid.tf) to use proxy_auth_setup --mode optional (or bearer) — kill the nginx process there.
  4. Remove basic_auth_setup + tools/modules/installers/auth.nu from hero_skills once nothing uses it. Strip §12.1 from the runbook. Update the §0.1 Quick path.

Acceptance criteria

  • proxy_auth_setup validated end-to-end on a TF Grid VM (TLS + auth gate working)
  • Runbook §12 rewritten with the canonical step-by-step (mirrors §12.1's level of detail)
  • herodemo migrated off nginx onto hero_proxy
  • basic_auth_setup removed from hero_skills (PR + commit)
  • Runbook §0.1 "What's still manual" entry for §12 collapsed to a single canonical option

Related

  • Master Phase 2 tracker: #185
  • Auth deploy gap (basic mode): #182
  • PRs that introduced both helpers: hero_skills #129 (basic) + hero_skills #130 (canonical)

Signed-off-by: mik-tf

## Summary Hero OS currently ships **two parallel auth paths** in `hero_skills` (after [PR #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) + [PR #130](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/130)): - `basic_auth_setup` — nginx + htpasswd (demo gate, [tools/modules/installers/auth.nu](https://forge.ourworld.tf/lhumina_code/hero_skills/src/branch/development/tools/modules/installers/auth.nu)) - `proxy_auth_setup` — `hero_proxy --auth-mode oauth/bearer/optional` (canonical, [tools/modules/installers/proxy_auth.nu](https://forge.ourworld.tf/lhumina_code/hero_skills/src/branch/development/tools/modules/installers/proxy_auth.nu)) This split was deliberate so the demo (no Google OAuth client, no real users) could ship without OAuth setup. **For prod we want exactly one path — the canonical `hero_proxy` one — and the demo nginx helper to go away.** ## Why this matters - Two auth paths = two failure modes to monitor + two attack surfaces. - The nginx basic-auth gate sits **outside** `hero_proxy`, so `hero_proxy` features (per-domain auth modes, `X-Hero-Context` injection, claims forwarding) are bypassed when basic-auth is in front. - Operators currently have to choose; fewer choices = fewer ways to mis-deploy. ## What needs to happen 1. **Validate `proxy_auth_setup` on a real TF Grid VM** with TLS + DNS + a real OAuth provider (Google, or bearer for first iteration). - Confirm `hero_proxy domain add ... --auth-mode oauth` actually serves the gate at `https://<hostname>/`. - Confirm `X-Hero-Context` + `X-Hero-Claims` are injected on per-service requests. - Confirm the `optional` mode behaviour matches what the demo wants (guest-first, login optional). 2. **Document the canonical setup in DEPLOYMENT_NU_HERO_OS.md §12** — currently §12.2 is a sketch; needs the same step-by-step rigor as §12.1. 3. **Update the demo deploy** (herodemo.gent01.grid.tf) to use `proxy_auth_setup --mode optional` (or `bearer`) — kill the nginx process there. 4. **Remove `basic_auth_setup` + `tools/modules/installers/auth.nu` from hero_skills** once nothing uses it. Strip §12.1 from the runbook. Update the §0.1 Quick path. ## Acceptance criteria - [ ] `proxy_auth_setup` validated end-to-end on a TF Grid VM (TLS + auth gate working) - [ ] Runbook §12 rewritten with the canonical step-by-step (mirrors §12.1's level of detail) - [ ] herodemo migrated off nginx onto `hero_proxy` - [ ] `basic_auth_setup` removed from `hero_skills` (PR + commit) - [ ] Runbook §0.1 "What's still manual" entry for §12 collapsed to a single canonical option ## Related - Master Phase 2 tracker: https://forge.ourworld.tf/lhumina_code/home/issues/185 - Auth deploy gap (basic mode): https://forge.ourworld.tf/lhumina_code/home/issues/182 - PRs that introduced both helpers: hero_skills #129 (basic) + hero_skills #130 (canonical) Signed-off-by: mik-tf
mik-tf commented 2026-04-28 12:21:33 +00:00
Author
Owner
Copy link

Moved to hero_demo#37 — see lhumina_code/hero_demo#37

Moved to hero_demo#37 — see https://forge.ourworld.tf/lhumina_code/hero_demo/issues/37
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/home#186
No description provided.