Skip to content

Multi-user auth, RBAC, Next.js frontend, security hardening#12

Merged
TomMaSS merged 1 commit into
mainfrom
multiuser
Mar 19, 2026
Merged

Multi-user auth, RBAC, Next.js frontend, security hardening#12
TomMaSS merged 1 commit into
mainfrom
multiuser

Conversation

@TomMaSS
Copy link
Copy Markdown
Owner

@TomMaSS TomMaSS commented Mar 19, 2026

Summary

  • Multi-user auth — Better Auth (email/password), closed sign-up, first-user bootstrap, password reset
  • RBAC — project_members with 5 roles (owner → viewer), permission middleware on all endpoints
  • Next.js frontend — React 19, Tailwind v4, shadcn/ui: project list, section viewer, chat panel, dependency graph, token stats dashboard, settings, member management
  • Real-time — WebSocket presence tracking, Redis pub/sub event broadcasting, HMAC token auth with jti replay protection
  • Chat with streaming — SSE, tool calls display, selection context, file attachments, Claude CLI + Anthropic API providers
  • Security hardening — member endpoint auth, ws-token derived from session (not body), schema-qualified to_regclass, default secret warnings, error message sanitization
  • Schema fix — auth user ID columns changed from UUID to TEXT (Better Auth uses random strings)
  • Demo — Playwright recording script rewritten, demo.gif regenerated (24s, light mode walkthrough of all tabs + settings)

Key files

Area Files
Auth api/auth.py, frontend/src/app/(auth)/
RBAC db/07_multi_user.sql, api/app.py member endpoints
Frontend frontend/src/app/, frontend/src/components/
WebSocket api/ws.py, api/app.py ws handler
Chat api/app.py chat endpoints, frontend/src/components/chat-panel.tsx
Tests tests/test_auth.py (ws-token, members, RBAC)

Test plan

  • pytest tests/ -x -v — 171 tests pass
  • cd frontend && npx tsc --noEmit — typecheck clean
  • docker compose build python-api && docker compose up -d — builds and starts
  • Pre-setup mode: /api/projects/*/members returns 200
  • WS token endpoint derives user_id from session
  • Default WS_TOKEN_SECRET warning visible in logs
  • Demo GIF regenerated with current UI

@TomMaSS
Fix user_id UUID mismatch, rewrite demo script, update TODO
757e0a9 
- Change project_members.user_id and all auth-user columns from UUID
  to TEXT (Better Auth uses 32-char random strings, not UUIDs)
- Remove _uuid.UUID() casts in member endpoints
- Rewrite record_demo.py: fast sign-in, light mode, sections →
  comments → deps → changelog → stats → settings flow
- Regenerate demo.gif (24s, 1.6MB)
- TODO.md: move 5 completed items to Done, fix typos
@TomMaSS TomMaSS merged commit a4bcfb3 into main Mar 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TomMaSS