dohertj2/mxaccessgw
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

docs: document dashboard DisableLogin / AutoLoginUser dev flag

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-16 08:16:45 -04:00
parent 4993057ed5
commit ee1423db7a
3 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/GatewayDashboardDesign.md
+31
View File
@@ -442,6 +442,37 @@ authorizes every request, and `MxGateway:Dashboard:AllowAnonymousLocalhost`
requests always require an authenticated principal carrying at least the
Viewer role.
### DisableLogin dev bypass
`MxGateway:Dashboard:DisableLogin` (default `false`) is a third bypass for
dev and test environments where LDAP is unavailable or irrelevant.
When the flag is `true`, the `DashboardAuthenticator`-backed cookie handler is
replaced by `DashboardAutoLoginAuthenticationHandler`, registered under the
same scheme name (`MxGateway.Dashboard`). The handler auto-authenticates every
incoming request — including requests from remote browsers, not just loopback —
as a principal for `MxGateway:Dashboard:AutoLoginUser` (default `multi-role`)
holding both the `Administrator` and `Viewer` role claims.
The same-scheme-name swap is intentional: every authorization policy
(`MxGateway.Dashboard.Viewer`, `MxGateway.Dashboard.Admin`,
`MxGateway.Dashboard.HubClients`) resolves the `MxGateway.Dashboard` scheme,
so the handler replacement requires zero changes to policies, Razor page
attributes, or hub authorization attributes. `UseAuthentication()` stamps the
principal on `HttpContext.User` for the full HTTP pipeline, the Blazor circuit,
and the SignalR hubs uniformly — there is no separate path for each surface.
This differs from `AllowAnonymousLocalhost`: that flag satisfies the Viewer
authorization requirement on loopback without minting an authenticated
principal, so role-gated write affordances (Admin-only API-key CRUD, Close/Kill
controls) stay hidden. `DisableLogin` mints a real multi-role principal, so
those affordances appear — which is the point for dev scenarios where a
developer needs the full Admin surface without standing up LDAP.
A loud one-time startup warning is logged when `DisableLogin` is `true`. The
gRPC API-key authentication path is untouched; only the dashboard cookie
surface is affected. Never enable in production.
### Hub bearer flow
SignalR connections cannot reuse the `__Host-` cookie when the JS client