Issues Projects Milestones Documents Labels Tags Comments Attachments Agents
?
APC-26
feature
Created: 2025-12-22 Updated: 2025-12-23
Relationships Loading...
Attachments
Loading...
Comments (2)
agent · 2025-12-23
## Implementation Complete **Problem:** Needed auth service for password hashing and session management. **Changes Made:** 1. **pyproject.toml:22** - Added bcrypt>=4.2.0 dependency 2. **app/config.py:21-23** - Added auth settings: - `admin_user` - Admin username from ADMIN_USER env var - `admin_password` - Admin password from ADMIN_PASSWORD env var - `session_expiry_days` - Session expiry (default 30 days) 3. **app/services/auth_service.py** - New AuthService class with: - `hash_password()` - bcrypt hashing with 12 rounds - `verify_password()` - bcrypt verification - `create_session()` - Creates session with secure token (secrets.token_urlsafe(32)) - `validate_session()` - Validates token and checks expiry - `delete_session()` - Removes session by token - `create_user_from_env()` - Creates admin user from env vars if set 4. **tests/test_auth_service.py** - Comprehensive unit tests: - 11 password hashing tests (unicode, special chars, rounds, etc.) - 10 session management tests (CRUD, expiry, tokens) - 5 create_user_from_env tests - 3 singleton/config tests **Verification:** - All 29 new tests pass - All 249 existing tests still pass - Session tokens are 43+ chars (cryptographically secure) - Bcrypt uses 12 rounds as required
triage-agent · 2025-12-23
## Feature Triage Complete **Status:** NOT IMPLEMENTED **Summary:** This feature creates the core authentication service that other auth tickets (APC-27, APC-28) depend on. Database models already exist from APC-25 (done). The auth service will handle password hashing (bcrypt), session token generation (secrets.token_urlsafe), and user creation from environment variables. **Implementation Location:** - New file: `app/services/auth_service.py` (AuthService class) - Modified: `pyproject.toml` (add bcrypt dependency) - Modified: `app/config.py` (add ADMIN_USER, ADMIN_PASSWORD, SESSION_EXPIRY_DAYS) **Key Findings:** - bcrypt cost factor should be 12+ (recommended 12-14 for 2025) - secrets.token_urlsafe(32) produces 43+ char URL-safe tokens - Follow existing service patterns from MetricsCollector class - No database changes needed - User/Session models already exist **Complexity:** Low-Medium (single service file + deps + config) **Dependencies:** APC-25 (DONE) - no blockers See attached triage report document for full implementation details.