2.1 KiB
2.1 KiB
Global Auth Gate
This document explains the optional server-side login gate and what it implies for your site.
Overview
- When enabled, all HTML routes require login.
- Login uses Firebase Auth (Google or email) and exchanges a Firebase ID token for a server session.
- The session is stored in a signed cookie and checked on every request.
Where it runs
- The gate runs only in
vite preview(production-like server). - The Vite dev server (
vite dev) does not enable the gate. - Static hosting cannot enforce the gate, because there is no server to verify tokens or set cookies.
Flow
- User requests
/or any HTML route. - Server checks the
mono_sessioncookie. - If missing, redirect to
/login. - Login page signs in with Firebase and POSTs to
/api/auth/login. - Server verifies the ID token and sets a session cookie.
- User is redirected back to
/.
Configuration
AUTH_ENABLED=trueenables the gate (default is false).AUTH_SECRETis required when the gate is enabled. It signs the session cookie.AUTH_GOOGLE_ENABLEDtoggles Google sign-in on/login(default true).AUTH_EMAIL_ENABLEDtoggles email/password sign-in on/login(default true).FIREBASE_PROJECT_IDsets the Firebase project used to verify tokens.FIREBASE_CONFIG(JSON) injects config into the login page.POCKETBASE_URLhides the custom DB setting field.SESSION_MAX_AGEsets cookie lifetime in ms (default 7 days).
Implications for the site
- Requires a server runtime. Pure static hosting will not force login.
- Unauthenticated requests to non-HTML assets return 401.
/loginand/login.htmlremain accessible to start the flow.- Logging out clears the session and redirects to
/login. - Authenticated visits to
/loginredirect back to/.
Enable (Docker)
cp .env.example .env- Set
AUTH_ENABLED=trueandAUTH_SECRET=... - Optionally set
FIREBASE_CONFIGandFIREBASE_PROJECT_ID docker compose up -d- Visit
http://localhost:3000
Enable (local preview)
npm run build- Set env vars in your shell or
.env npm run preview