arcodange/telegram-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 1.5 — auth layer (Redis sessions, allowlist, requireAuth)
Some checks failed
Docker Build / build-and-push-image (push) Failing after 18s
Details

Browse Source 
Adds an authentication layer in front of the bot handlers :

- Auth handler on the principal bot (@arcodange_factory_bot, slug
  factory) parses /start, /auth <code>, /whoami, /logout. On a
  successful /auth, the message containing the code is best-effort
  deleted from the user's chat (replay defense).
- Redis-backed sessions (key tg-gw:auth:<from.id>, TTL 24h, configurable
  via AUTH_SESSION_TTL). Constant-time secret compare via crypto/subtle.
- ALLOWED_USERS env (CSV of Telegram user IDs) — silent-drops anyone
  not in the list before the auth gate runs.
- New per-bot field 'requireAuth' (pointer-bool). Default = true (secure
  by default). Auto-forced to false for handler=auth (chicken-and-egg).
- Server gates: allowlist first, then requireAuth before handler dispatch.
- Fail-at-startup if a bot is configured with handler=auth or
  requireAuth: true while AUTH_SECRET is unset.

Design: factory/docs/adr/20260509-telegram-gateway-auth.md (in factory PR).
User docs: AUTH.md (new), HOWTO_ADD_BOT.md (Cas 2 updated for default
true and gated flow).

New deps: github.com/redis/go-redis/v9.

Refs ~/.claude/plans/pour-les-notifications-on-inherited-seal.md § Phase 1.5.
This commit is contained in:
Gabriel Radureau
2026-05-09 13:56:30 +02:00
parent 6228169ac1
commit 07115e3162
15 changed files with 679 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
chart/values.yaml
View File

@@ -81,11 +81,29 @@ autoscaling:
# Bot routing config — non-secret, becomes the bots.yaml ConfigMap entry.
# Tokens & secret_token values live in a k8s Secret named `secret.name`.
# In Phase 1 the Secret is created out-of-band (kubectl create secret); in a
# later phase Vault will produce it via VSO (toggle `vault.enabled`).
#
# Auth gate (Phase 1.5, ADR factory/docs/adr/20260509-telegram-gateway-auth.md):
# - `requireAuth` defaults to **true** (secure by default). Add
# `requireAuth: false` only for bots you want to expose publicly.
# - For `handler: auth`, requireAuth is auto-forced to false (the auth bot
# can't gate itself or no one could ever authenticate).
bots:
factory:
handler: echo
handler: auth # principal bot — gère /auth, /whoami, /logout
# Exemple d'un bot gated (défaut) :
# pingbot:
# handler: echo
#
# Exemple d'un bot public (opt-out explicite) :
# statusbot:
# handler: echo
# requireAuth: false
# Auth layer (Phase 1.5). REDIS_URL est passé en env clair (non secret).
# AUTH_SECRET et ALLOWED_USERS doivent vivre dans le Secret k8s `secret.name`.
auth:
redisURL: "redis://redis.tools.svc.cluster.local:6379/0"
sessionTTL: "24h"
# k8s Secret consumed by `envFrom`. Phase 1: create it manually with kubectl.
# kubectl -n telegram-gateway create secret generic telegram-gateway-bots \