feat(auth): add bearer token authentication#145
Merged
Conversation
Phase 1 implementation: - Create auth.ts with checkAuth() and unauthorizedResponse() helpers - Add AuthConfig type to AgentConfig - Add auth middleware to fetch handler (after OPTIONS) - Auth check covers WebSocket upgrade paths - Update CORS headers to allow Authorization header - Smart defaults: new installs auto-generate token, existing configs stay open
Phase 2 implementation: - Add token field to ClientConfig type - Update ApiClient to send Bearer token in requests - Add getToken/setToken helpers to client config - Add 'perry auth init' command to generate agent tokens - Add 'perry config token' command to configure client tokens - Update config display to show masked token
Phase 3 implementation: - Add localStorage-based token storage (perry_auth_token) - Export setToken/clearToken/getToken functions - Update RPCLink to include Bearer token in requests - initClient() recreates client when token changes
Phase 4 implementation: - Add token field to ServerConfig interface - Update saveServerConfig to accept optional token parameter - Track currentToken in module state - Update RPCLink to include Bearer token in requests - Export getToken() for reading current token
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Comment on lines
+140
to
+143
| const authResult = checkAuth(req, currentConfig); | ||
| if (!authResult.ok) { | ||
| return unauthorizedResponse(); | ||
| } |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Add WEB_UI_PATTERNS to bypass auth for /, /index.html, /assets/*, and /favicon.ico so browsers can load the web UI before sending auth tokens.
Comment on lines
+267
to
+274
| const configExists = fs.existsSync(configPath); | ||
|
|
||
| const config = await loadAgentConfig(configDir); | ||
|
|
||
| if (!configExists && !config.auth?.token) { | ||
| const token = `perry-${crypto.randomBytes(16).toString('hex')}`; | ||
| config.auth = { ...config.auth, token }; | ||
| await saveAgentConfig(config, configDir); |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Static handler was serving index.html for /rpc/* and /health paths, bypassing the auth middleware. Add isApiPath check to return null for API prefixes, allowing proper auth handling.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds bearer token authentication support across the Perry stack, enabling secure API access for automated tools and integrations.
Changes
Benefits