Skip to content

feat: add admin static token as auth alternative#63

Merged
toddeTV merged 4 commits into
mainfrom
feat/admin-static-token-auth
May 3, 2026
Merged

feat: add admin static token as auth alternative#63
toddeTV merged 4 commits into
mainfrom
feat/admin-static-token-auth

Conversation

@toddeTV
Copy link
Copy Markdown
Owner

@toddeTV toddeTV commented May 3, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • New Features

    • Optional static admin token authentication can be enabled via environment configuration.

  • Documentation

    • API docs updated: admin login behavior and verification now describe both JWT and static-token modes and include a static-token curl example.
    • Deployment and production setup docs updated with guidance on the admin token, when to set it, and rotation/redeploy notes.

@toddeTV toddeTV self-assigned this May 3, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 3, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4a094f32-3172-4933-9778-f5c67af7c88b

📥 Commits

Reviewing files that changed from the base of the PR and between 984708e and 7038c17.

📒 Files selected for processing (1)
  • docs/api.md
✅ Files skipped from review due to trivial changes (1)
  • docs/api.md
📝 Walkthrough

Walkthrough

Adds optional static admin-token authentication alongside existing JWT-based admin login. New NUXT_ADMIN_TOKEN runtime/config entries and auth logic accept Authorization: Bearer <token> (preferred over admin_token cookie) to short-circuit verification and return a static admin payload; docs and deployment guides updated.

Changes

Static Admin Token Authentication

Layer / File(s) Summary
Env / Config
.env.example, nuxt.config.ts		 Adds NUXT_ADMIN_TOKEN to .env.example; runtimeConfig.adminToken added (server-private, default empty).
Token Extraction
server/utils/auth.ts		 getToken(event) now prefers Authorization: Bearer ... header and falls back to admin_token cookie.
Static Token Validation
server/utils/auth.ts		 Introduces VerifiedAdminPayload type and getStaticAdminPayload(token, configuredToken) which returns a static admin payload when the provided token matches configured adminToken.
Verify Flow
server/utils/auth.ts		 verifyAdmin checks getStaticAdminPayload first and returns the static payload early if matched; otherwise proceeds with existing JWT verification path.
API Docs
docs/api.md		 POST /api/auth/login clarified as browser-style login that sets admin_token cookie; /api/auth/verify docs updated to state Authorization: Bearer accepts either a JWT or the static NUXT_ADMIN_TOKEN; adds curl example for static token.
Deployment / Production Docs
docs/deployment-docker.md, docs/setup-production.md		 Guidance added to include NUXT_ADMIN_TOKEN (optional; leave empty to disable), notes on use-case, secrecy, single-token requirement, and rotation guidance. 
sequenceDiagram
  participant Client
  participant Server
  participant Config
  participant JWTVerifier

  Client->>Server: Request with Authorization: Bearer <token> (or cookie)
  Server->>Config: Read runtimeConfig.adminToken
  alt provided token equals configured adminToken
    Server->>Server: getStaticAdminPayload -> static admin payload
    Server-->>Client: 200 OK with user payload (static-token)
  else not a static-token
    Server->>JWTVerifier: Verify Bearer token (or cookie)
    alt JWT valid
      JWTVerifier-->>Server: decoded JWT payload
      Server-->>Client: 200 OK with user payload (jwt)
    else invalid
      Server-->>Client: 401 Unauthorized
    end
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding a static token as an alternative authentication method for admin access.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Review rate limit: 4/5 reviews remaining, refill in 12 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
docs/api.md (1)

46-50: 💤 Low value

Consider clarifying JWT availability for Bearer token usage.

The documentation states Authorization: Bearer <token> accepts "A JWT created by POST /api/auth/login". However, the login endpoint sets the JWT in an HTTP-only cookie and returns only { success: true } in the response body—the JWT isn't directly accessible to JavaScript clients.

For external software integration, the static token path (NUXT_ADMIN_TOKEN) is the intended approach, which is correctly documented. Consider clarifying that the JWT mode is primarily for cookie-based browser sessions, while external software should use the static token.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/api.md` around lines 46 - 50, Update the "Authorization: Bearer <token>"
docs to clarify that the JWT referenced from POST /api/auth/login is set as an
HTTP-only cookie and is not returned in the response body (so it isn't
accessible to JS clients), that this JWT mode is for browser cookie-based admin
sessions, and that external software or API clients should use the exact static
token configured in NUXT_ADMIN_TOKEN for Bearer header authentication instead.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/api.md`:
- Around line 46-50: Update the "Authorization: Bearer <token>" docs to clarify
that the JWT referenced from POST /api/auth/login is set as an HTTP-only cookie
and is not returned in the response body (so it isn't accessible to JS clients),
that this JWT mode is for browser cookie-based admin sessions, and that external
software or API clients should use the exact static token configured in
NUXT_ADMIN_TOKEN for Bearer header authentication instead.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 9ad448ae-839c-4946-82f3-127af8d5d09d

📥 Commits

Reviewing files that changed from the base of the PR and between 5fb2fd1 and 984708e.

📒 Files selected for processing (6)
  • .env.example
  • docs/api.md
  • docs/deployment-docker.md
  • docs/setup-production.md
  • nuxt.config.ts
  • server/utils/auth.ts

@toddeTV toddeTV merged commit 99c141a into main May 3, 2026
5 checks passed
@toddeTV toddeTV deleted the feat/admin-static-token-auth branch May 3, 2026 20:31
@github-actions github-actions Bot mentioned this pull request May 3, 2026
Open
@coderabbitai coderabbitai Bot mentioned this pull request May 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@toddeTV toddeTV

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@toddeTV