Add Authentik SSO, budget visibility, Resend email, 12h item default
Opens Veola up to more users (Parodia's Authentik) and makes Apify spend visible to everyone. - Auth: Traefik forward-auth (trust X-Authentik-* headers only from trusted_proxies CIDRs, keyed by email, role synced from admin_group), keeping local password login as break-glass. New [auth] config, CaptureDirectIP + ForwardAuth middleware, deploy/authentik-forward-auth.md. - Budget: count every Apify run (apify_api_usage table) and show calls + estimated cost to all users on the dashboard, with an optional monthly-budget bar. New [budget] config + settings. - Email: Resend client for opt-in deal alerts and a weekly digest (Mon 09:00). Per-user email + toggles on Settings. New [resend] config. - Defaults: new items default to a 12-hour poll interval to cut spend. users table gains email/auth_source/email-pref columns (migrated in place). go build/vet/test green; boots and migrates cleanly.
This commit is contained in:
53
internal/auth/forward_test.go
Normal file
53
internal/auth/forward_test.go
Normal file
@@ -0,0 +1,53 @@
|
||||
package auth
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestForwardAuthTrusts(t *testing.T) {
|
||||
fa, err := NewForwardAuthConfig("u", "e", "n", "g", "admins", []string{"127.0.0.1/32", "10.0.0.0/8", "::1"})
|
||||
if err != nil {
|
||||
t.Fatalf("config: %v", err)
|
||||
}
|
||||
cases := map[string]bool{
|
||||
"127.0.0.1": true,
|
||||
"10.5.6.7": true,
|
||||
"::1": true,
|
||||
"192.168.1.1": false,
|
||||
"8.8.8.8": false,
|
||||
"": false,
|
||||
"not-an-ip": false,
|
||||
}
|
||||
for ip, want := range cases {
|
||||
if got := fa.trusts(ip); got != want {
|
||||
t.Errorf("trusts(%q) = %v, want %v", ip, got, want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestForwardAuthBadCIDR(t *testing.T) {
|
||||
if _, err := NewForwardAuthConfig("u", "e", "n", "g", "a", []string{"not-a-cidr/99"}); err == nil {
|
||||
t.Fatal("expected error for malformed CIDR")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHasAdminGroup(t *testing.T) {
|
||||
fa := &ForwardAuthConfig{AdminGroup: "veola-admins"}
|
||||
cases := map[string]bool{
|
||||
"veola-admins": true,
|
||||
"users|veola-admins|staff": true, // Authentik pipe-delimited
|
||||
"users,veola-admins": true, // comma-delimited
|
||||
"VEOLA-ADMINS": true, // case-insensitive
|
||||
"users|staff": false,
|
||||
"": false,
|
||||
"veola-admins-extra": false,
|
||||
}
|
||||
for header, want := range cases {
|
||||
if got := fa.hasAdminGroup(header); got != want {
|
||||
t.Errorf("hasAdminGroup(%q) = %v, want %v", header, got, want)
|
||||
}
|
||||
}
|
||||
// Empty admin group never matches.
|
||||
empty := &ForwardAuthConfig{AdminGroup: ""}
|
||||
if empty.hasAdminGroup("anything") {
|
||||
t.Error("empty admin group should not match")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user