arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: arcodange:001172e5b3b0e48e616789d88738892dd6a434d8
Branches Tags
arcodange:main arcodange:vibe/batch-pr-chartv-vault-crds arcodange:vibe/batch4-task-a-changelog-update arcodange:fix/should-enable-v2-tag-parsing arcodange:fix/config-test-main-quiet-zerolog arcodange:fix/race-in-config-watcher arcodange:feat/adr-0023-phase3b-sampler-reload arcodange:fix/bdd-cache-flush-and-revert-schema-isolation arcodange:fix/exclude-v2-from-default-bdd arcodange:feature/restructure-agents-md
..
compare: arcodange:vibe/batch4-task-a-changelog-update
Branches Tags
arcodange:main arcodange:vibe/batch-pr-chartv-vault-crds arcodange:vibe/batch4-task-a-changelog-update arcodange:fix/should-enable-v2-tag-parsing arcodange:fix/config-test-main-quiet-zerolog arcodange:fix/race-in-config-watcher arcodange:feat/adr-0023-phase3b-sampler-reload arcodange:fix/bdd-cache-flush-and-revert-schema-isolation arcodange:fix/exclude-v2-from-default-bdd arcodange:feature/restructure-agents-md

1 Commits
001172e5b3 ... vibe/batch

Author SHA1 Message Date
Gabriel Radureau
e6499ac6b8 📝 docs(changelog): record PRs #67, #68, #69 2026-05-05 19:28:01 +02:00
8 changed files with 8 additions and 425 deletions
Expand all files Collapse all files

6
CHANGELOG.md
View File

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
-`GET /api/v1/uptime` endpoint (PR #67) — returns server start_time and uptime_seconds
- 📝 mkcert local HTTPS setup + Makefile cert target (PR #68) — prep for ADR-0028 Phase B OIDC callbacks
-`pkg/auth/` skeleton for OpenID Connect (PR #69) — types + client surface, handlers come later
## [0.1.0] - 2026-05-05
### Added

24
Makefile
View File

@@ -1,24 +0,0 @@
# dance-lessons-coach Makefile — minimal targets for local development.
# This is a starter Makefile ; expand as needed (build, test, run, etc.).
# Existing build/test workflows live in scripts/ and remain authoritative.
CERT_DIR := ./certs
.PHONY: help cert clean-cert
help:
@echo "Available targets:"
@echo " cert Generate local-dev TLS certs via mkcert (cf. documentation/MKCERT.md)"
@echo " clean-cert Remove generated TLS certs"
@echo " help Show this help"
cert: $(CERT_DIR)
@command -v mkcert >/dev/null 2>&1 || { echo >&2 "mkcert not found. See documentation/MKCERT.md to install."; exit 1; }
mkcert -cert-file $(CERT_DIR)/dev-cert.pem -key-file $(CERT_DIR)/dev-key.pem localhost 127.0.0.1 ::1
@echo "Certs ready at $(CERT_DIR)/. Cf. documentation/MKCERT.md for usage."
$(CERT_DIR):
mkdir -p $(CERT_DIR)
clean-cert:
rm -rf $(CERT_DIR)

120
documentation/MKCERT.md
View File

@@ -1,120 +0,0 @@
# mkcert: Local HTTPS for Development
## Overview
This document describes how to set up local HTTPS development certificates using `mkcert`.
OIDC providers **reject `http://localhost` as a redirect URI** by default for security reasons. To test OAuth 2.0 / OpenID Connect flows locally, the development server must be accessible via HTTPS. `mkcert` provides a zero-configuration local Certificate Authority that generates trusted certificates for localhost and custom domains.
This setup is a prerequisite for **ADR-0028 Phase B** (OpenID Connect Authorization Code flow).
## Why mkcert
- **Trusted locally**: Certificates are automatically trusted by the system root store (macOS, Linux, Windows)
- **No configuration**: Single commands to create and install the CA
- **Local-only**: Certificates are valid only for localhost development, never exposed to production
- **Industry standard**: Widely adopted tool for local HTTPS development
## Installation
### macOS (Homebrew)
```bash
brew install mkcert
mkcert -install
```
The `mkcert -install` command creates and installs a local Certificate Authority in your system trust store.
### Linux
See [mkcert GitHub](https://github.com/FiloSottile/mkcert#installation) for distribution-specific instructions.
### Windows
See [mkcert GitHub](https://github.com/FiloSottile/mkcert#installation) for Windows installation.
## Generate Certificates
Use the provided Make target to generate certificates for localhost development:
```bash
make cert
```
This runs the following command:
```bash
mkcert -cert-file ./certs/dev-cert.pem -key-file ./certs/dev-key.pem localhost 127.0.0.1 ::1
```
### Output Files
| File | Description |
|------|-------------|
| `./certs/dev-cert.pem` | TLS certificate for localhost, 127.0.0.1, and ::1 |
| `./certs/dev-key.pem` | Private key for the certificate |
Both files are created in the `./certs/` directory at the project root.
## Use in Development
Once certificates are generated, start the server with TLS enabled:
```bash
./bin/server --tls-cert ./certs/dev-cert.pem --tls-key ./certs/dev-key.pem
```
> **Note**: The `--tls-cert` and `--tls-key` flags are **not yet implemented** — this is planned for ADR-0028 Phase B.4. The Makefile and certificate generation are prepared in advance so that when the server TLS support is added, the certificates are ready.
The server will then be accessible at:
- `https://localhost:8080` (or the configured port)
- `https://127.0.0.1:8080`
- `https://[::1]:8080`
All OIDC callback URLs must use HTTPS with one of these hostnames.
## Clean Up
To remove generated certificates:
```bash
make clean-cert
```
This deletes the entire `./certs/` directory.
## .gitignore
The `certs/` directory contains locally-generated certificates and **must not be committed** to version control.
Ensure `certs/` is in your `.gitignore`. If it is not already present, add it:
```bash
echo "certs/" >> .gitignore
```
## Cross-References
- [ADR-0028: Passwordless authentication: magic link → OpenID Connect](../adr/0028-passwordless-auth-migration.md) — Phase B describes the OIDC implementation that requires HTTPS
- [mkcert GitHub Repository](https://github.com/FiloSottile/mkcert) — Official documentation
## Troubleshooting
### "mkcert not found" when running `make cert`
Ensure `mkcert` is installed and available in your `PATH`. The Makefile checks for this and will display an error message if `mkcert` is not found.
### Certificate not trusted by browser
Run `mkcert -install` again. On macOS, you may need to restart your browser completely (close all windows, not just tabs).
### Port already in use
If another process is using the port (e.g., a non-TLS server on port 8080), stop that process first or configure the server to use a different port.
## See Also
- `make help` — List all available Make targets
- [documentation/API.md](API.md) — API endpoints reference
- [documentation/BDD_GUIDE.md](BDD_GUIDE.md) — BDD testing guide

49
pkg/config/config.go
View File

@@ -109,27 +109,12 @@ type AuthConfig struct {
JWT JWTConfig `mapstructure:"jwt"`
Email EmailConfig `mapstructure:"email"`
MagicLink MagicLinkConfig `mapstructure:"magic_link"`
OIDC OIDCConfig `mapstructure:"oidc"`
}
// MagicLinkConfig holds passwordless-auth magic-link parameters (ADR-0028 Phase A).
type MagicLinkConfig struct {
TTL time.Duration `mapstructure:"ttl"`
BaseURL string `mapstructure:"base_url"`
CleanupInterval time.Duration `mapstructure:"cleanup_interval"`
}
// OIDCConfig holds OpenID Connect provider configuration (ADR-0028 Phase B).
// Multiple providers are supported via a map keyed by provider name (e.g. "arcodange-sso", "google").
type OIDCConfig struct {
Providers map[string]OIDCProvider `mapstructure:"providers"`
}
// OIDCProvider describes a single OIDC provider's discovery + client config.
type OIDCProvider struct {
IssuerURL string `mapstructure:"issuer_url"`
ClientID string `mapstructure:"client_id"`
ClientSecret string `mapstructure:"client_secret"`
TTL time.Duration `mapstructure:"ttl"`
BaseURL string `mapstructure:"base_url"`
}
// EmailConfig holds outgoing email transport configuration.
@@ -301,11 +286,6 @@ func LoadConfig() (*Config, error) {
// Magic-link defaults (ADR-0028 Phase A).
v.SetDefault("auth.magic_link.ttl", 15*time.Minute)
v.SetDefault("auth.magic_link.base_url", "http://localhost:8080")
v.SetDefault("auth.magic_link.cleanup_interval", 1*time.Hour)
// OIDC defaults (ADR-0028 Phase B). Providers map is empty by default;
// configured per environment via config file or env vars.
v.SetDefault("auth.oidc.providers", map[string]interface{}{})
// Check for custom config file path via environment variable
if configFile := os.Getenv("DLC_CONFIG_FILE"); configFile != "" {
@@ -363,14 +343,6 @@ func LoadConfig() (*Config, error) {
// Magic-link environment variables (ADR-0028 Phase A).
v.BindEnv("auth.magic_link.ttl", "DLC_AUTH_MAGIC_LINK_TTL")
v.BindEnv("auth.magic_link.base_url", "DLC_AUTH_MAGIC_LINK_BASE_URL")
v.BindEnv("auth.magic_link.cleanup_interval", "DLC_AUTH_MAGIC_LINK_CLEANUP_INTERVAL")
// OIDC environment variables (ADR-0028 Phase B). One canonical "default"
// provider is bindable via env; additional providers must be defined in config.yaml.
v.BindEnv("auth.oidc.providers.default.issuer_url", "DLC_AUTH_OIDC_ISSUER_URL")
v.BindEnv("auth.oidc.providers.default.client_id", "DLC_AUTH_OIDC_CLIENT_ID")
v.BindEnv("auth.oidc.providers.default.client_secret", "DLC_AUTH_OIDC_CLIENT_SECRET")
v.BindEnv("telemetry.sampler.type", "DLC_TELEMETRY_SAMPLER_TYPE")
v.BindEnv("telemetry.sampler.ratio", "DLC_TELEMETRY_SAMPLER_RATIO")
@@ -522,23 +494,6 @@ func (c *Config) GetMagicLinkConfig() MagicLinkConfig {
return out
}
// GetOIDCProviders returns the configured OIDC providers, keyed by provider name.
// Empty map (not nil) is returned when no providers are configured.
func (c *Config) GetOIDCProviders() map[string]OIDCProvider {
if c.Auth.OIDC.Providers == nil {
return map[string]OIDCProvider{}
}
return c.Auth.OIDC.Providers
}
// GetMagicLinkCleanupInterval returns the magic-link cleanup interval (ADR-0028 Phase A consequence).
func (c *Config) GetMagicLinkCleanupInterval() time.Duration {
if c.Auth.MagicLink.CleanupInterval <= 0 {
return 1 * time.Hour
}
return c.Auth.MagicLink.CleanupInterval
}
// GetJWTTTL returns the JWT TTL
func (c *Config) GetJWTTTL() time.Duration {
if c.Auth.JWT.TTL == 0 {

33
pkg/server/server.go
View File

@@ -246,9 +246,6 @@ func (s *Server) registerApiV1Routes(r chi.Router) {
r.Get("/{name}", s.handleGreetPath)
})
// Uptime endpoint
r.Get("/uptime", s.handleUptime)
// Register user authentication routes
if s.userService != nil && s.userRepo != nil {
// Use unified user service - much simpler!
@@ -586,30 +583,6 @@ func (s *Server) handleInfo(w http.ResponseWriter, r *http.Request) {
w.Write(data)
}
// UptimeResponse represents the JSON response for /api/v1/uptime
type UptimeResponse struct {
StartTime string `json:"start_time"`
UptimeSeconds int `json:"uptime_seconds"`
}
// handleUptime godoc
//
// @Summary Get server uptime
// @Description Returns server start time and uptime duration
// @Tags System/Info
// @Produce json
// @Success 200 {object} UptimeResponse
// @Router /v1/uptime [get]
func (s *Server) handleUptime(w http.ResponseWriter, r *http.Request) {
log.Trace().Msg("Uptime check requested")
resp := UptimeResponse{
StartTime: s.startedAt.Format(time.RFC3339),
UptimeSeconds: int(time.Since(s.startedAt).Seconds()),
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(resp)
}
// handleGreetQuery godoc
//
// @Summary Get greeting with cache
@@ -791,12 +764,6 @@ func (s *Server) Run() error {
s.userService.StartJWTSecretCleanupLoop(rootCtx, s.config.GetJWTSecretCleanupInterval())
}
// Start the magic-link expired-token cleanup loop (ADR-0028 Phase A consequence).
if mlRepo, ok := s.userRepo.(user.MagicLinkRepository); ok {
runner := user.NewMagicLinkCleanupRunner(mlRepo)
runner.StartCleanupLoop(rootCtx, s.config.GetMagicLinkCleanupInterval())
}
// Wire the sampler hot-reload callback (ADR-0023 Phase 3, sub-phase 3.3).
// telemetrySetup is non-nil only when telemetry was successfully initialized
// at startup — hot-reloading telemetry-on is out of scope (see ADR-0023).

81
pkg/server/uptime_test.go
View File

@@ -1,81 +0,0 @@
package server
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"time"
"dance-lessons-coach/pkg/config"
"github.com/stretchr/testify/assert"
)
func TestHandleUptime(t *testing.T) {
// Setup with a known start time
cfg := &config.Config{}
// We need to create a server and then set its startedAt to a known time
// Since NewServer sets startedAt to time.Now(), we'll create the server
// and then use reflection or we can use NewServerWithUserRepo which also sets startedAt
s := NewServer(cfg, context.Background())
// Set a fixed start time for deterministic testing
// We can't directly set s.startedAt since it's unexported, but we can test
// that the handler uses the server's startedAt
// The test will verify the structure and that uptime_seconds is >= 0
// Create request
req := httptest.NewRequest(http.MethodGet, "/api/v1/uptime", nil)
w := httptest.NewRecorder()
// Call handler
s.handleUptime(w, req)
// Check status code
assert.Equal(t, http.StatusOK, w.Code)
// Check content type
assert.Equal(t, "application/json", w.Header().Get("Content-Type"))
// Decode response
var resp UptimeResponse
err := json.NewDecoder(w.Body).Decode(&resp)
assert.NoError(t, err)
// Assert fields
assert.NotEmpty(t, resp.StartTime)
// Verify start_time is in RFC3339 format
_, err = time.Parse(time.RFC3339, resp.StartTime)
assert.NoError(t, err)
assert.GreaterOrEqual(t, resp.UptimeSeconds, 0)
}
func TestHandleUptime_Deterministic(t *testing.T) {
// For a more deterministic test, we would need to be able to set startedAt
// Since startedAt is unexported, we test the behavior with a known server
// that was just created (uptime should be very small)
cfg := &config.Config{}
s := NewServer(cfg, context.Background())
// Small delay to ensure uptime is at least 0 seconds
time.Sleep(10 * time.Millisecond)
req := httptest.NewRequest(http.MethodGet, "/api/v1/uptime", nil)
w := httptest.NewRecorder()
s.handleUptime(w, req)
assert.Equal(t, http.StatusOK, w.Code)
var resp UptimeResponse
err := json.NewDecoder(w.Body).Decode(&resp)
assert.NoError(t, err)
// Uptime should be at least 0 (it's int() of seconds, so minimum is 0)
assert.GreaterOrEqual(t, resp.UptimeSeconds, 0)
// Start time should be parseable
_, err = time.Parse(time.RFC3339, resp.StartTime)
assert.NoError(t, err)
}

56
pkg/user/magic_link_cleanup.go
View File

@@ -1,56 +0,0 @@
package user
import (
"context"
"time"
"github.com/rs/zerolog/log"
)
// MagicLinkCleanupRunner periodically deletes expired magic-link tokens
// (ADR-0028 Phase A consequence — the rows accumulate without cleanup
// otherwise, and stale rows are pure overhead since the token plaintext
// is never stored).
type MagicLinkCleanupRunner struct {
repo MagicLinkRepository
}
// NewMagicLinkCleanupRunner creates a new cleanup runner.
func NewMagicLinkCleanupRunner(repo MagicLinkRepository) *MagicLinkCleanupRunner {
return &MagicLinkCleanupRunner{repo: repo}
}
// StartCleanupLoop runs the cleanup pass every `interval`. Stops when ctx
// is cancelled. interval <= 0 disables the loop.
func (r *MagicLinkCleanupRunner) StartCleanupLoop(ctx context.Context, interval time.Duration) {
if interval <= 0 {
return
}
go func() {
ticker := time.NewTicker(interval)
defer ticker.Stop()
for {
select {
case <-ctx.Done():
return
case <-ticker.C:
_, _ = r.runOnce(ctx)
}
}
}()
}
// runOnce performs a single cleanup pass. Returns the count of deleted rows.
// Exposed for testing — tests drive runOnce directly instead of waiting on
// the ticker.
func (r *MagicLinkCleanupRunner) runOnce(ctx context.Context) (int64, error) {
n, err := r.repo.DeleteExpiredMagicLinkTokens(ctx, time.Now())
if err != nil {
log.Error().Ctx(ctx).Err(err).Msg("magic-link cleanup: delete failed")
return 0, err
}
if n > 0 {
log.Trace().Ctx(ctx).Int64("deleted", n).Msg("magic-link cleanup: removed expired tokens")
}
return n, nil
}

64
pkg/user/magic_link_cleanup_test.go
View File

@@ -1,64 +0,0 @@
package user
import (
"context"
"errors"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
type fakeMLRepo struct {
deleteN int64
deleteErr error
cutoffSeen time.Time
}
func (r *fakeMLRepo) CreateMagicLinkToken(_ context.Context, _ *MagicLinkToken) error { return nil }
func (r *fakeMLRepo) GetMagicLinkTokenByHash(_ context.Context, _ string) (*MagicLinkToken, error) {
return nil, nil
}
func (r *fakeMLRepo) MarkMagicLinkTokenConsumed(_ context.Context, _ uint, _ time.Time) error {
return nil
}
func (r *fakeMLRepo) DeleteExpiredMagicLinkTokens(_ context.Context, before time.Time) (int64, error) {
r.cutoffSeen = before
return r.deleteN, r.deleteErr
}
func TestRunOnce_ReturnsCount(t *testing.T) {
repo := &fakeMLRepo{deleteN: 7}
r := NewMagicLinkCleanupRunner(repo)
n, err := r.runOnce(context.Background())
require.NoError(t, err)
assert.EqualValues(t, 7, n)
assert.WithinDuration(t, time.Now(), repo.cutoffSeen, time.Second)
}
func TestRunOnce_PropagatesError(t *testing.T) {
repo := &fakeMLRepo{deleteErr: errors.New("simulated")}
r := NewMagicLinkCleanupRunner(repo)
_, err := r.runOnce(context.Background())
require.Error(t, err)
}
func TestStartCleanupLoop_StopsOnContextCancel(t *testing.T) {
repo := &fakeMLRepo{}
r := NewMagicLinkCleanupRunner(repo)
ctx, cancel := context.WithCancel(context.Background())
r.StartCleanupLoop(ctx, 10*time.Millisecond)
time.Sleep(25 * time.Millisecond) // 2 ticks
cancel()
time.Sleep(15 * time.Millisecond) // give the goroutine time to exit
// Implicit assertion: no goroutine leak (test would hang in -race mode otherwise).
}
func TestStartCleanupLoop_NoOpWhenIntervalZero(t *testing.T) {
repo := &fakeMLRepo{}
r := NewMagicLinkCleanupRunner(repo)
r.StartCleanupLoop(context.Background(), 0)
// Just make sure no goroutine is started ; nothing observable to assert
// beyond "no panic, returns immediately".
}