Add Authentik SSO, budget visibility, Resend email, 12h item default

Opens Veola up to more users (Parodia's Authentik) and makes Apify spend
visible to everyone.

- Auth: Traefik forward-auth (trust X-Authentik-* headers only from
  trusted_proxies CIDRs, keyed by email, role synced from admin_group),
  keeping local password login as break-glass. New [auth] config,
  CaptureDirectIP + ForwardAuth middleware, deploy/authentik-forward-auth.md.
- Budget: count every Apify run (apify_api_usage table) and show
  calls + estimated cost to all users on the dashboard, with an optional
  monthly-budget bar. New [budget] config + settings.
- Email: Resend client for opt-in deal alerts and a weekly digest
  (Mon 09:00). Per-user email + toggles on Settings. New [resend] config.
- Defaults: new items default to a 12-hour poll interval to cut spend.

users table gains email/auth_source/email-pref columns (migrated in place).
go build/vet/test green; boots and migrates cleanly.
This commit is contained in:
prosolis
2026-06-20 11:12:11 -07:00
parent b6fadf6504
commit 7c95e4fd4e
23 changed files with 1883 additions and 261 deletions

View File

@@ -49,6 +49,10 @@ func (a *App) Routes() http.Handler {
// RealIP rewrites RemoteAddr from X-Forwarded-For — safe only because
// Veola is expected to sit behind a trusted proxy (Traefik) that sets
// it; Traefik must be configured to strip client-supplied values.
// CaptureDirectIP must run before RealIP: forward-auth trusts identity
// headers only from the real connecting peer, which RealIP would otherwise
// overwrite with the proxy-supplied X-Forwarded-For.
r.Use(auth.CaptureDirectIP)
r.Use(middleware.RealIP)
r.Use(middleware.Recoverer)
r.Use(securityHeaders)
@@ -70,6 +74,10 @@ func (a *App) Routes() http.Handler {
r.Group(func(r chi.Router) {
r.Use(a.Auth.Sessions.LoadAndSave)
r.Use(a.Auth.LoadUser)
// ForwardAuth runs after LoadUser so a trusted proxy's identity headers
// supersede any stale local session. No-op when forward-auth is off or
// the peer is untrusted.
r.Use(a.Auth.ForwardAuth)
r.Use(a.setupGate)
// Public auth pages.
@@ -106,6 +114,8 @@ func (a *App) Routes() http.Handler {
r.With(a.Auth.CSRFProtect).Post("/settings/test-ntfy", a.PostTestNtfy)
r.With(a.Auth.CSRFProtect).Post("/settings/test-apify", a.PostTestApify)
r.With(a.Auth.CSRFProtect).Post("/settings/test-ebay", a.PostTestEbay)
r.With(a.Auth.CSRFProtect).Post("/settings/test-resend", a.PostTestResend)
r.With(a.Auth.CSRFProtect).Post("/settings/email", a.PostEmailPrefs)
r.With(a.Auth.CSRFProtect, a.Auth.RequireAdmin).Post("/users", a.PostCreateUser)
r.With(a.Auth.CSRFProtect, a.Auth.RequireAdmin).Post("/users/{id}/delete", a.PostDeleteUser)
r.With(a.Auth.CSRFProtect, a.Auth.RequireAdmin).Post("/users/{id}/reset-password", a.PostResetPassword)