NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity

feat/fleet-operator-web-frontend-maud #283

Merged
johnride merged 3 commits from feat/fleet-operator-web-frontend-maud into feat/iot-walking-skeleton 2026-05-20 10:35:07 +00:00
Conversation 0 Commits 3 Files Changed 89 +6019 -327
johnride commented 2026-05-12 02:44:34 +00:00
Owner
Copy Link
No description provided.
johnride added 2 commits 2026-05-12 02:44:35 +00:00
chore: cargo fmt b163656859
feat: maud + htmx + tailwindcss frontend for fleet operator, initial commit, still much work to do
Some checks failed
Run Check Script / check (pull_request) Failing after 59s
Details
ee95a5d1a3
johnride changed title from feat/fleet-operator-web-frontend-maud to wip: feat/fleet-operator-web-frontend-maud 2026-05-12 02:44:47 +00:00
johnride added 1 commit 2026-05-19 20:37:12 +00:00
add auth to frontend through lib (#284)
Some checks failed
Run Check Script / check (pull_request) Failing after 38s
Details
96e7d43b2f 
Adds OIDC login support to the harmony-fleet-operator web dashboard using Zitadel SSO.

pkce was the recommended option for this since we don't need to hold on to any secret. We compute a value on server before sending the data to Zitadel who validates authenticity by recomputing the hash and comparing the two values.

pkce Auth flow

 1. User visits a protected dashboard route, like /devices.
 2. If no valid harmony_fleet_session cookie exists, the app redirects to /login.
 3. /login creates:
     - random state
     - random pkce_code_verifier
     - derived code_challenge = base64url(sha256(pkce_code_verifier))
 4. The app stores state and pkce_code_verifier in a temporary HTTP-only login-attempt cookie.
 5. The browser is redirected to Zitadel’s authorize endpoint with:
     - client_id
     - redirect_uri
     - scope
     - state
     - code_challenge
     - code_challenge_method=S256
 6. After SSO login, Zitadel redirects back to /auth/callback?code=...&state=....
 7. The callback handler:
     - parses the raw query into a strict success/failure enum
     - reads the temporary login-attempt cookie
     - validates returned state
     - exchanges code + pkce_code_verifier for tokens
     - validates the returned ID token using OIDC discovery/JWKS
     - creates a local harmony_fleet_session cookie
     - redirects to /
 8. Protected routes validate the local dashboard session cookie on each request.
 9. /logout clears the dashboard session cookie and redirects to /login.

---

 Auth middleware responses depending on request type:

 - normal browser request: redirect to /login
 - SSE request: 401 authentication required
 - HTMX request: 401 with HX-Redirect: /login (HTMX redirect is more idiomatic than through Axum for this)

Reviewed-on: #284
Reviewed-by: johnride <jg@nationtech.io>
Co-authored-by: Reda Tarzalt <tarzaltreda@gmail.com>
Co-committed-by: Reda Tarzalt <tarzaltreda@gmail.com>
johnride changed title from wip: feat/fleet-operator-web-frontend-maud to feat/fleet-operator-web-frontend-maud 2026-05-20 10:34:57 +00:00
johnride merged commit 7620077b9b into feat/iot-walking-skeleton 2026-05-20 10:35:07 +00:00
johnride deleted branch feat/fleet-operator-web-frontend-maud 2026-05-20 10:35:08 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Architecture Decision Record
Good first issue
RFC
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
johnride jvtrudel reda stremblay
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NationTech/harmony#283
No description provided.
Delete Branch "feat/fleet-operator-web-frontend-maud"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?