62 lines
2.1 KiB
Markdown
62 lines
2.1 KiB
Markdown
# Auth, Admin, And Learning Hub Logic
|
|
|
|
This doc summarizes the current auth/admin/Learning Hub responsibilities. The
|
|
source of truth is `server.js`, `src/routes/*.js`, and the focused top-level
|
|
docs.
|
|
|
|
## Auth
|
|
|
|
- Local auth uses argon2id for new password hashes and bcrypt fallback/rehash
|
|
for legacy rows.
|
|
- Web sessions use the `ped_auth` httpOnly cookie.
|
|
- Mobile sessions use secure token storage and `Authorization: Bearer`.
|
|
- `user_sessions` is the authoritative session registry.
|
|
- OIDC uses Authorization Code + PKCE through `src/routes/oidc.js`.
|
|
- 2FA uses TOTP plus one-time backup codes.
|
|
|
|
See [`../authentication.md`](../authentication.md) for details.
|
|
|
|
## Admin Panel
|
|
|
|
Admin routes live under `/api/admin` and require admin middleware unless the
|
|
specific route is explicitly public (for example public config reads used by the
|
|
login screen). Admin responsibilities include:
|
|
|
|
- user management and role changes
|
|
- settings and feature flags
|
|
- model allowlist/defaults/custom models
|
|
- prompt overrides
|
|
- SMTP/OIDC/security settings
|
|
- health/log views
|
|
- milestone management
|
|
- admin docs browser
|
|
|
|
## Learning Hub
|
|
|
|
Learning Hub has two surfaces:
|
|
|
|
- learner/user-facing routes under `/api/learning`
|
|
- moderator/admin CMS routes under `/api/admin/learning`
|
|
|
|
Content types include articles, pearls, quizzes, and presentations. AI content
|
|
generation can use topic text, uploaded files, or connected Nextcloud/WebDAV
|
|
sources. Semantic search uses pgvector embeddings on `learning_content` when an
|
|
embedding provider is configured.
|
|
|
|
See [`../learning-hub.md`](../learning-hub.md) and
|
|
[`../embeddings-setup.md`](../embeddings-setup.md).
|
|
|
|
## Security Rules
|
|
|
|
- Never expose raw secrets in admin health/config responses.
|
|
- Keep OIDC issuer validation and SSRF protections intact.
|
|
- Keep login, password reset, 2FA, and session endpoints rate-limited.
|
|
- Treat Learning Hub uploads as untrusted input and keep file-type checks.
|
|
- Sanitize rendered Learning Hub content.
|
|
|
|
## Change Checklist
|
|
|
|
1. Check the relevant route and frontend module together.
|
|
2. Preserve role middleware order.
|
|
3. Run `node --check` on touched JS files.
|
|
4. Run `npm test`.
|