Lftobs · Lftobs · Jun 27, 2026 · Jun 22, 2026 · Jun 23, 2026 · Jun 27, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,20 @@
+.git
+.gitignore
+.gitattributes
+AGENTS.md
+CHANGELOG.md
+CONTRIBUTING.md
+VERSION
+*.md
+node_modules
+apps/web
+apps/docs
+data
+workspace
+infra
+dist
+.env
+__pycache__
+*.log
+docker-compose.yml
+CLI.md
diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     unzip \
     tar \
     gnupg \
+    python3 \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Docker CLI + buildx plugin from Docker's official repo
@@ -31,10 +32,11 @@ RUN curl -sSL https://mise.jdx.dev/install.sh | sh \
 
 WORKDIR /app
 
-COPY package.json ./
+COPY apps/api/package.json ./
 RUN bun install
 
-COPY src ./src
+COPY apps/api/src ./src
+COPY scripts ./scripts
 
 RUN mkdir -p /app/data /app/workspace /caddy/routes
 

diff --git a/apps/api/src/api/auth/index.ts b/apps/api/src/api/auth/index.ts
@@ -0,0 +1,95 @@
+import { Elysia } from "elysia";
+import { signAccessToken, verifyAccessToken, generateRefreshToken, storeRefreshToken, validateRefreshToken, blacklistRefreshToken } from "../../utils/auth";
+import { config } from "../../utils/config";
+
+const PAM_AUTH_URL = "http://pam-auth:4567";
+
+const callPam = async (username: string, password: string): Promise<{ ok: boolean; username?: string; error?: string }> => {
+  try {
+    const res = await fetch(`${PAM_AUTH_URL}/auth`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ username, password }),
+      signal: AbortSignal.timeout(5000),
+    });
+    const data = await res.json();
+    return data;
+  } catch (err) {
+    return { ok: false, error: "Auth service unavailable" };
+  }
+};
+
+const SESSION_COOKIE_OPTS = {
+  path: "/",
+  httpOnly: true,
+  sameSite: "strict" as const,
+  secure: config.caddyBaseDomain !== "localhost",
+  maxAge: 900,
+};
+
+const REFRESH_COOKIE_OPTS = {
+  path: "/",
+  httpOnly: true,
+  sameSite: "strict" as const,
+  secure: config.caddyBaseDomain !== "localhost",
+  maxAge: 7 * 24 * 60 * 60,
+};
+
+export const authRoutes = new Elysia()
+  .post("/auth/login", async ({ body, cookie: { dequel_session, dequel_refresh }, set }) => {
+    const { username, password } = body as { username?: string; password?: string };
+    if (!username || !password) {
+      set.status = 400;
+      return { error: "Username and password required" };
+    }
+    const result = await callPam(username, password);
+    if (!result.ok) {
+      set.status = 401;
+      return { error: result.error || "Authentication failed" };
+    }
+    const accessToken = await signAccessToken(username);
+    const refreshToken = generateRefreshToken();
+    await storeRefreshToken(username, refreshToken);
+    dequel_session.value = accessToken;
+    dequel_session.set(SESSION_COOKIE_OPTS);
+    dequel_refresh.value = refreshToken;
+    dequel_refresh.set(REFRESH_COOKIE_OPTS);
+    return { ok: true, username };
+  })
+  .post("/auth/logout", async ({ cookie: { dequel_session, dequel_refresh } }) => {
+    const rt = dequel_refresh.value;
+    if (rt) {
+      try { await blacklistRefreshToken(rt); } catch {}
+    }
+    dequel_session.remove();
+    dequel_refresh.remove();
+    return { ok: true };
+  })
+  .post("/auth/refresh", async ({ cookie: { dequel_session, dequel_refresh }, set }) => {
+    const rt = dequel_refresh.value;
+    if (!rt) {
+      set.status = 401;
+      return { error: "No refresh token" };
+    }
+    const username = await validateRefreshToken(rt);
+    if (!username) {
+      set.status = 401;
+      return { error: "Invalid or expired refresh token" };
+    }
+    await blacklistRefreshToken(rt);
+    const accessToken = await signAccessToken(username);
+    const newRefreshToken = generateRefreshToken();
+    await storeRefreshToken(username, newRefreshToken);
+    dequel_session.value = accessToken;
+    dequel_session.set(SESSION_COOKIE_OPTS);
+    dequel_refresh.value = newRefreshToken;
+    dequel_refresh.set(REFRESH_COOKIE_OPTS);
+    return { ok: true, username };
+  })
+  .get("/auth/me", async ({ cookie: { dequel_session } }) => {
+    const token = dequel_session.value;
+    if (!token) return { authenticated: false };
+    const payload = await verifyAccessToken(token);
+    if (!payload) return { authenticated: false };
+    return { authenticated: true, username: payload.sub };
+  });
diff --git a/apps/api/src/api/index.ts b/apps/api/src/api/index.ts
@@ -1,6 +1,7 @@
 import { Elysia } from "elysia";
 import { alertsRoutes } from "./alerts";
 import { apiKeysRoutes } from "./api-keys";
+import { authRoutes } from "./auth";
 import { databasesRoutes } from "./databases";
 import { deploymentsRoutes } from "./deployments";
 import { domainsRoutes } from "./domains";
@@ -15,27 +16,42 @@ import { serversRoutes } from "./servers";
 import { volumesRoutes } from "./volumes";
 import { settingsRoutes } from "./settings";
 
+const BYPASS_PATHS = new Set(["/api/auth/login", "/api/auth/logout", "/api/auth/refresh", "/api/auth/me", "/api/health"]);
+
 const authMiddleware = (app: Elysia) =>
-	app.onBeforeHandle(async ({ request, set }) => {
-		const authHeader = request.headers.get(
-			"authorization",
-		);
-		if (!authHeader?.startsWith("Bearer "))
-			return;
-		const token = authHeader.slice(7);
-		if (!token) return;
-		const { validateApiKey } =
-			await import("../db/repo");
-		const key = await validateApiKey(token);
-		if (!key) {
+	app.onBeforeHandle(async ({ request, set, path }) => {
+		if (BYPASS_PATHS.has(path)) return;
+
+		const cookie = request.headers.get("cookie") || "";
+		const match = cookie.match(/(?:^|;\s*)dequel_session=([^;]+)/);
+		if (match) {
+			const { verifyAccessToken } = await import("../utils/auth");
+			const payload = await verifyAccessToken(match[1]);
+			if (payload) return;
 			set.status = 401;
-			return { error: "Invalid API key" };
+			return { error: "Invalid session" };
 		}
+
+		const authHeader = request.headers.get("authorization");
+		if (authHeader?.startsWith("Bearer ")) {
+			const token = authHeader.slice(7);
+			if (token) {
+				const { validateApiKey } = await import("../db/repo");
+				const key = await validateApiKey(token);
+				if (key) return;
+				set.status = 401;
+				return { error: "Invalid API key" };
+			}
+		}
+
+		set.status = 401;
+		return { error: "Authentication required" };
 	});
 
 export const apiRoutes = new Elysia({
 	prefix: "/api",
 })
+	.use(authRoutes)
 	.use(authMiddleware)
 	.use(healthRoutes)
 	.use(projectsRoutes)

diff --git a/apps/api/src/api/server-info/index.ts b/apps/api/src/api/server-info/index.ts
@@ -3,7 +3,7 @@ import { Elysia } from "elysia";
 export const serverInfoRoutes = new Elysia().get(
 	"/server/ip",
 	async () => {
-		const { resolveServerIp } = await import("../../utils/dns");
-		return { ip: await resolveServerIp() };
+		const { checkBaseDomainStatus } = await import("../../utils/dns");
+		return await checkBaseDomainStatus();
 	},
 );
diff --git a/apps/api/src/db/__tests__/auth.test.ts b/apps/api/src/db/__tests__/auth.test.ts
@@ -0,0 +1,95 @@
+import { describe, it, expect, mock, beforeAll, beforeEach, afterAll } from 'bun:test';
+import { Database } from 'bun:sqlite';
+
+const TEST_SECRET = 'test-jwt-secret-for-testing-purposes-only';
+
+let db: Database;
+
+const fileUrl = (path: string) => new URL(path, import.meta.url).toString();
+mock.module(fileUrl('../client.ts'), () => ({
+  getDb: () => db,
+}));
+
+beforeAll(async () => {
+  db = new Database(':memory:');
+  db.run(`
+    CREATE TABLE refresh_tokens (
+      id text PRIMARY KEY NOT NULL,
+      username text NOT NULL,
+      token_hash text NOT NULL UNIQUE,
+      expires_at text NOT NULL,
+      created_at text NOT NULL,
+      blacklisted_at text
+    )
+  `);
+  const { initAuth } = await import('../../utils/auth');
+  initAuth(TEST_SECRET);
+});
+
+beforeEach(() => {
+  db.run('DELETE FROM refresh_tokens');
+});
+
+afterAll(() => {
+  db.close();
+});
+
+describe('storeRefreshToken / validateRefreshToken', () => {
+  it('stores and validates a refresh token', async () => {
+    const { generateRefreshToken, storeRefreshToken, validateRefreshToken } = await import('../../utils/auth');
+    const token = generateRefreshToken();
+    await storeRefreshToken('testuser', token);
+    const username = await validateRefreshToken(token);
+    expect(username).toBe('testuser');
+  });
+
+  it('returns null for unknown token', async () => {
+    const { validateRefreshToken } = await import('../../utils/auth');
+    const result = await validateRefreshToken('dqr_nonexistent');
+    expect(result).toBeNull();
+  });
+});
+
+describe('blacklistRefreshToken', () => {
+  it('blacklists a refresh token', async () => {
+    const { generateRefreshToken, storeRefreshToken, validateRefreshToken, blacklistRefreshToken } = await import('../../utils/auth');
+    const token = generateRefreshToken();
+    await storeRefreshToken('testuser', token);
+    expect(await validateRefreshToken(token)).toBe('testuser');
+    await blacklistRefreshToken(token);
+    expect(await validateRefreshToken(token)).toBeNull();
+  });
+
+  it('does not affect other tokens when blacklisting one', async () => {
+    const { generateRefreshToken, storeRefreshToken, validateRefreshToken, blacklistRefreshToken } = await import('../../utils/auth');
+    const tokenA = generateRefreshToken();
+    const tokenB = generateRefreshToken();
+    await storeRefreshToken('user1', tokenA);
+    await storeRefreshToken('user2', tokenB);
+    await blacklistRefreshToken(tokenA);
+    expect(await validateRefreshToken(tokenA)).toBeNull();
+    expect(await validateRefreshToken(tokenB)).toBe('user2');
+  });
+});
+
+describe('cleanupExpiredTokens', () => {
+  it('removes expired tokens', async () => {
+    const { generateRefreshToken, storeRefreshToken, cleanupExpiredTokens } = await import('../../utils/auth');
+    const token = generateRefreshToken();
+    await storeRefreshToken('testuser', token);
+    const row = db.query('SELECT token_hash FROM refresh_tokens ORDER BY created_at DESC LIMIT 1').get() as { token_hash: string };
+    db.run(`UPDATE refresh_tokens SET expires_at = '2000-01-01T00:00:00.000Z' WHERE token_hash = ?`, [row.token_hash]);
+    await cleanupExpiredTokens();
+    const remaining = db.query('SELECT COUNT(*) as c FROM refresh_tokens').get() as { c: number };
+    expect(remaining.c).toBe(0);
+  });
+
+  it('keeps non-expired tokens', async () => {
+    const { generateRefreshToken, storeRefreshToken, cleanupExpiredTokens } = await import('../../utils/auth');
+    const token = generateRefreshToken();
+    await storeRefreshToken('testuser', token);
+    await cleanupExpiredTokens();
+    const remaining = db.query('SELECT COUNT(*) as c FROM refresh_tokens').get() as { c: number };
+    expect(remaining.c).toBe(1);
+  });
+});
diff --git a/apps/api/src/db/migrations/0001_refresh_tokens.sql b/apps/api/src/db/migrations/0001_refresh_tokens.sql
@@ -0,0 +1,8 @@
+CREATE TABLE IF NOT EXISTS refresh_tokens (
+  id text PRIMARY KEY NOT NULL,
+  username text NOT NULL,
+  token_hash text NOT NULL UNIQUE,
+  expires_at text NOT NULL,
+  created_at text NOT NULL,
+  blacklisted_at text
+);
diff --git a/apps/api/src/db/migrations/meta/_journal.json b/apps/api/src/db/migrations/meta/_journal.json
@@ -2,12 +2,19 @@
   "version": "6",
   "dialect": "sqlite",
   "entries": [
-{
-    "idx": 0,
+    {
+      "idx": 0,
       "version": "6",
       "when": 1718000000000,
       "tag": "0000_baseline",
       "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1782100000000,
+      "tag": "0001_refresh_tokens",
+      "breakpoints": true
     }
   ]
 }
diff --git a/apps/api/src/db/schema.ts b/apps/api/src/db/schema.ts
@@ -152,6 +152,15 @@ export const servers = sqliteTable("servers", {
   updatedAt: text("updated_at").notNull(),
 });
 
+export const refreshTokens = sqliteTable("refresh_tokens", {
+	id: text().primaryKey(),
+	username: text().notNull(),
+	tokenHash: text("token_hash").notNull().unique(),
+	expiresAt: text("expires_at").notNull(),
+	createdAt: text("created_at").notNull(),
+	blacklistedAt: text("blacklisted_at"),
+});
+
 export const apiKeys = sqliteTable("api_keys", {
   id: text().primaryKey(),
   name: text().notNull(),

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
@@ -12,11 +12,16 @@ import { serverManager } from './servers/manager';
 import { startGitWatcher } from './git/watcher';
 import { startDomainPolling } from './utils/domain-verifier';
 import { alertEvaluator } from './monitoring/evaluator';
+import { loadOrCreateJwtSecret } from './utils/secrets';
+import { initAuth, cleanupExpiredTokens } from './utils/auth';
 const bootstrap = async () => {
   await mkdir(dirname(config.databasePath), { recursive: true });
   await mkdir(config.workspaceRoot, { recursive: true });
   await mkdir(config.caddyRoutesDir, { recursive: true });
 
+  const jwtSecret = await loadOrCreateJwtSecret(dirname(config.databasePath));
+  initAuth(jwtSecret);
+
   await migrate();
   await orchestrator.reconcileState();
   orchestrator.startWorker();
@@ -25,6 +30,7 @@ const bootstrap = async () => {
   startGitWatcher();
   startDomainPolling();
   alertEvaluator.start();
+  setInterval(() => { cleanupExpiredTokens().catch(() => {}); }, 60_000);
 
   const metrics = {
     requestsTotal: 0,