sjg/trx-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[feat](trx-frontend-http): complete HTTP authentication implementation (phases 4-5)

Browse Source 
Phase 4: Frontend login gate and role-based UI
- Add auth-gate HTML overlay with passphrase form
- Implement checkAuthStatus, authLogin, authLogout functions
- Auth startup sequence checks /auth/session before connecting
- Apply role-based restrictions: hide PTT/TX controls for rx role
- Handle 401/403 errors in postPath, return to login screen
- Add logout button in About tab with auth role display
- Passphrase form shows generic error messages (no info leakage)

Phase 5: Documentation
- Update trx-client.toml.example with [frontends.http.auth] section
  - All config fields with inline documentation and examples
  - security notes about cookie settings
- Update README.md with HTTP Frontend Authentication section
  - Role model explanation (rx vs control)
  - Configuration example
  - Security considerations for local, LAN, and remote deployments
  - Architecture overview

UI Features:
- Login gate blocks main UI until authenticated
- Role badge shows authenticated status in About tab
- Error messages clear after 5 seconds
- Logout confirmation prevents accidental logouts
- Smooth transition from auth gate to main UI

All code compiles successfully. HTTP frontend build verified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
This commit is contained in:
Stan Grams
2026-02-13 08:18:49 +01:00
parent a4b014d66a
commit 65e1073ea0
4 changed files with 250 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
trx-client.toml.example
+30
View File
@@ -33,6 +33,36 @@ enabled = true
listen = "127.0.0.1"
port = 8080
[frontends.http.auth]
# Optional passphrase-based authentication for the HTTP frontend
# Disabled by default to preserve backward compatibility
# Enable authentication (default: false)
enabled = false
# Read-only passphrase: grants access to status/events/audio (rx role)
# Leave unset to disable rx access
# rx_passphrase = "rx-only-passphrase"
# Full control passphrase: grants access to all endpoints including TX/PTT (control role)
# Leave unset to disable control access
# control_passphrase = "full-control-passphrase"
# Enforce TX/PTT access control (default: true)
# When true, TX/PTT endpoints return 404 to authenticated users without control role
tx_access_control_enabled = true
# Session time-to-live in minutes (default: 480 = 8 hours)
session_ttl_min = 480
# Set Secure flag on session cookie (default: false)
# Should be true if served over HTTPS; false for HTTP/localhost
cookie_secure = false
# Cookie SameSite attribute: Strict, Lax (default), or None
# Lax is a good balance between security and usability
cookie_same_site = "Lax"
[frontends.rigctl]
# Enable rigctl-compatible TCP interface (hamlib compatible)
enabled = false