dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

docs(security): document dev disable-login flag + ship default-false config key

Browse Source 
Adds a "Dev Disable-Login Flag" subsection to Component-Security.md covering
ScadaBridge:Security:Auth:DisableLogin / User, the AutoLoginAuthenticationHandler
mechanism, and the no-environment-guard / startup-warning production risk.

Ships DisableLogin: false under ScadaBridge → Security → Auth in:
  - src/.../Host/appsettings.json (canonical default)
  - docker/central-node-a/appsettings.Central.json
  - docker/central-node-b/appsettings.Central.json

Also records DL-3 commit SHAs in the plan tasks file.
This commit is contained in:
Joseph Doherty
2026-06-16 08:54:11 -04:00
parent 75919cec31
commit 57302500ac
5 changed files with 28 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/requirements/Component-Security.md
+10
View File
@@ -22,6 +22,16 @@ Central cluster. Sites do not have user-facing interfaces and do not perform ind
- **No local user store**: All identity and group information comes from AD. No credentials are cached locally.
- **No Windows Integrated Authentication**: The app authenticates directly against LDAP/AD, not via Kerberos/NTLM.
## Dev Disable-Login Flag
**`ScadaBridge:Security:Auth:DisableLogin`** (bool, default `false`) — when `true`, the Central UI bypasses the login form entirely and auto-authenticates every request as the user named by `ScadaBridge:Security:Auth:User` (default `multi-role`) with all four roles (Administrator, Designer, Deployer, Viewer) granted system-wide. The mechanism is `AutoLoginAuthenticationHandler`, registered under the cookie scheme via `AddSecurity(disableLogin: true)`; because it sits in the cookie scheme, every existing authorization policy authenticates through it with zero policy changes required.
There is **no environment guard** — a loud startup warning in the application log is the only protection. This disables authentication on a SCADA control surface.
> **Dev/test ONLY. Never enable in production.**
Set in a local or docker-dev environment via the environment variable `ScadaBridge__Security__Auth__DisableLogin=true`. Note that `ScadaBridge:Security:Auth` is a child sub-section nested inside `ScadaBridge:Security`.
## Session Management
### Cookie + JWT Hybrid