Add browse frontend auth: users table, login/logout, is_public filtering #26

New issue

Closed

opened 2026-02-26 01:12:32 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-02-26 01:12:32 +00:00

Owner

Plan

plan-2026-02-25-private-notes-auth — Phase 1

User Story

As a platform owner
I need private notes hidden from unauthenticated browse visitors
So that sensitive internal docs (plans, issues, SOPs) are not publicly visible

Acceptance Criteria

When I visit /browse/ without logging in
Then I only see notes where is_public=True

When I log in via /browse/login with valid credentials
Then I see all notes (public and private) with a visual indicator on private ones

When I visit /browse/notes/{private-slug} without logging in
Then I get a 404 response

When I log out via /browse/logout
Then my session is cleared and I only see public notes again

Additional Information

User model: id, email (unique), hashed_password, is_approved, created_at
Password hashing via passlib[bcrypt]
Session-based auth via itsdangerous signed cookies + Starlette SessionMiddleware
Seed user mechanism via PALDOCS_SEED_EMAIL + PALDOCS_SEED_PASSWORD env vars
API routes remain unauthenticated — only browse frontend gets auth
No registration UI — users seeded via env vars or created directly

Checklist

PR opened with related notes
Tests cover the acceptance criteria
Docs updated if needed

pal-e-docs — project affected
Forgejo issue #2 — original auth tracking issue

### Plan `plan-2026-02-25-private-notes-auth` — Phase 1 ### User Story As a platform owner I need private notes hidden from unauthenticated browse visitors So that sensitive internal docs (plans, issues, SOPs) are not publicly visible ### Acceptance Criteria When I visit /browse/ without logging in Then I only see notes where is_public=True When I log in via /browse/login with valid credentials Then I see all notes (public and private) with a visual indicator on private ones When I visit /browse/notes/{private-slug} without logging in Then I get a 404 response When I log out via /browse/logout Then my session is cleared and I only see public notes again ### Additional Information - User model: id, email (unique), hashed_password, is_approved, created_at - Password hashing via passlib[bcrypt] - Session-based auth via itsdangerous signed cookies + Starlette SessionMiddleware - Seed user mechanism via PALDOCS_SEED_EMAIL + PALDOCS_SEED_PASSWORD env vars - API routes remain unauthenticated — only browse frontend gets auth - No registration UI — users seeded via env vars or created directly ### Checklist - [ ] PR opened with related notes - [ ] Tests cover the acceptance criteria - [ ] Docs updated if needed ### Related - `pal-e-docs` — project affected - Forgejo issue #2 — original auth tracking issue