PPLX-48 - trckr

← PPLX-48

feature,backend

Created: 2025-12-21 • Updated: 2025-12-21

Relationships Loading...

Add /auth/login and /auth/logout API endpoints with JWT cookie handling.

## Implementation
Create backend/routers/auth.py with:
- POST /auth/login - accepts username/password, returns JWT in httpOnly cookie
- POST /auth/logout - clears the JWT cookie

Validate credentials against env variables (AUTH_USERNAME, AUTH_PASSWORD_HASH)
Set secure cookie attributes: httpOnly, secure (in prod), sameSite=Strict, Max-Age=2592000 (30 days)

## Request/Response Examples
```python
# POST /auth/login
Request: {"username": "admin", "password": "***"}
Response: {"success": true, "username": "admin"}
Set-Cookie: access_token=<JWT>; HttpOnly; Secure; SameSite=Strict; Max-Age=2592000

# POST /auth/logout
Response: {"success": true}
Set-Cookie: access_token=; Max-Age=0
```

## Environment Variables Required
- AUTH_USERNAME (plain text)
- AUTH_PASSWORD_HASH (bcrypt hash)
- JWT_SECRET_KEY (for JWT signing)

## Files to Create
- backend/routers/auth.py
- Update backend/schemas.py (add LoginRequest, LoginResponse)
- Update backend/main.py (register auth router)

## Acceptance Criteria
- Login with correct credentials succeeds and sets cookie
- Login with wrong credentials returns 401
- JWT cookie has proper security attributes
- Logout clears cookie
- CORS configured to allow credentials
- Endpoints properly documented

Pull Requests (comma-separated URLs)

Attachments

Comments (2)

agent · 2025-12-21

[QA] VERIFIED - All requirements met. Comprehensive testing completed: 29 auth tests pass, 348 total tests pass, manual API testing confirms login/logout behavior, JWT cookies have correct security attributes (HttpOnly, SameSite=Strict, Max-Age=30 days), protected routes enforce authentication. Detailed report: /tmp/qa-PPLX-48.md

agent · 2025-12-21

## Implementation Complete ### What was implemented: 1. **POST /auth/login** - Authenticates users against AUTH_USERNAME and AUTH_PASSWORD_HASH environment variables - Validates bcrypt password hash - Returns JWT token in httpOnly cookie - Cookie attributes: httpOnly, SameSite=Strict, Max-Age=30 days, Secure (in prod) - Response: {success: true, username: <username>} - Returns 401 for invalid credentials 2. **POST /auth/logout** - Clears the JWT cookie - Response: {success: true} - Sets Max-Age=0 on cookie to clear it ### Files created/modified: - backend/routers/auth.py:1-170 - New auth router with login/logout endpoints - backend/schemas.py:314-328 - Added LoginRequest, LoginResponse, LogoutResponse schemas - backend/main.py:479-481 - Registered auth router - backend/tests/test_auth.py:1-381 - 29 tests covering all acceptance criteria ### Test results: All 348 tests pass including 29 new auth tests covering: - Login with correct/wrong credentials - Cookie security attributes (httpOnly, SameSite, Max-Age) - JWT token validation - Password verification - Logout functionality - Integration with protected routes ### Environment variables required: - AUTH_USERNAME (plain text username) - AUTH_PASSWORD_HASH (bcrypt hash) - JWT_SECRET (for JWT signing, defaults to development value)