Skip to content

feat(auth): add CLI auth login flow with farmer validation and audit wiring#273

Merged
taigrr merged 1 commit into
masterfrom
cd/cli-auth-flow
Mar 31, 2026
Merged

feat(auth): add CLI auth login flow with farmer validation and audit wiring#273
taigrr merged 1 commit into
masterfrom
cd/cli-auth-flow

Conversation

@taigrr
Copy link
Copy Markdown
Member

@taigrr taigrr commented Mar 31, 2026

Summary

Add auth.login NATS endpoint — a formal CLI-to-farmer authentication handshake. The CLI presents its signed token (containing the user's public key) and the farmer validates it against configured users, returning the user's identity, role, permissions, and admin status.

Changes

New NATS endpoint: grlx.api.auth.login

  • Validates the CLI user's token and returns a LoginResponse with:
    • authenticated (bool), pubkey, role, username
    • isAdmin flag and full actions permission list
    • Human-readable message (e.g. "authenticated as alice (role: admin)")
  • Handles dangerously_allow_root mode
  • Returns structured error for unrecognized/expired tokens

New CLI command: grlx auth login

  • Explicit identity verification before running commands
  • Shows user, pubkey, role, admin status, and permissions
  • Supports --out json for machine-readable output

Client library

  • client.Login() — full login handshake
  • client.ValidateAuth() — lightweight pre-flight check

Wiring

  • Registered in NATS router, middleware (ActionUserRead), and public methods
  • Added as read-only action in audit system
  • LoginResponse type in api/types

Tests

  • 8 new handler tests (dangerously_allow_root, no token, valid token, invalid token, admin token, public method check, middleware action check)
  • 2 new client-side tests (response unmarshal, unauthenticated response)
  • Existing TestAllMethodsMatchRoutes and TestAllMethodsHaveRBACMapping auto-verify registration

Context

Round 10 of continuous development — CLI auth flow chunk from the NATS migration plan.

@taigrr
feat(auth): add CLI auth login flow with farmer validation and audit …
8401c4e 
…wiring

Add auth.login NATS endpoint that provides a formal CLI-to-farmer
authentication handshake. The CLI presents its signed token (containing
the user's public key) and the farmer validates it against configured
users, returning identity, role, permissions, and admin status.

Changes:
- Add auth.login NATS subject and handler (public method, handles own auth)
- Add LoginResponse type with full permission summary
- Add client.Login() and client.ValidateAuth() for CLI-side auth
- Add 'grlx auth login' CLI command for explicit identity verification
- Wire auth.login through RBAC middleware (ActionUserRead)
- Register auth.login as read-only action in audit system
- Add comprehensive tests for handler, client, middleware, and audit
@taigrr taigrr merged commit b0a769e into master Mar 31, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@taigrr