docs(security): document dev disable-login flag + ship default-false config key
Adds a "Dev Disable-Login Flag" subsection to Component-Security.md covering ScadaBridge:Security:Auth:DisableLogin / User, the AutoLoginAuthenticationHandler mechanism, and the no-environment-guard / startup-warning production risk. Ships DisableLogin: false under ScadaBridge → Security → Auth in: - src/.../Host/appsettings.json (canonical default) - docker/central-node-a/appsettings.Central.json - docker/central-node-b/appsettings.Central.json Also records DL-3 commit SHAs in the plan tasks file.
This commit is contained in:
Joseph Doherty
@@ -1,5 +1,14 @@
|
||||
{
|
||||
"_logging": "Host-021: Serilog is the sole logger provider (Program.cs calls builder.Host.UseSerilog()), so the standard Microsoft 'Logging:LogLevel' block has no effect and was removed. The minimum level is set via 'ScadaBridge:Logging:MinimumLevel' (bound to LoggingOptions per Host-011); sinks are defined under the 'Serilog' section below and applied via ReadFrom.Configuration (Host-014). See LoggerConfigurationFactory + Component-Host.md REQ-HOST-8.",
|
||||
"ScadaBridge": {
|
||||
"Security": {
|
||||
"Auth": {
|
||||
"_comment": "DisableLogin bypasses the login form and auto-authenticates every request as User with all roles. DEV/TEST ONLY — no environment guard; a startup warning is the only protection. Never enable in production.",
|
||||
"DisableLogin": false,
|
||||
"User": "multi-role"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Serilog": {
|
||||
"Using": [
|
||||
"Serilog.Sinks.Console",
|
||||
|
||||
Reference in New Issue
Block a user