doot.git/internal/auth, branch main

Add passkey (WebAuthn) authentication support

2026-02-06T01:35:01+00:00

Enable passwordless login via passkeys as an alternative to password auth. Users register passkeys from Settings; the login page offers both options. WebAuthn is optional — only active when WEBAUTHN_RP_ID and WEBAUTHN_ORIGIN env vars are set. Co-Authored-By: Claude Opus 4.6

Add comprehensive test coverage across packages

2026-02-04T01:16:35+00:00

New test files: - api/http_test.go: HTTP client and error handling tests - config/config_test.go: Configuration loading and validation tests - middleware/security_test.go: Security middleware tests - models/atom_test.go: Atom model and conversion tests Expanded test coverage: - api/todoist_test.go: Todoist API client tests - api/trello_test.go: Trello API client tests - auth/auth_test.go: Authentication and CSRF tests - handlers/timeline_logic_test.go: Timeline building logic tests - store/sqlite_test.go: SQLite store operations tests Co-Authored-By: Claude Opus 4.5

Add Agent Context API for external agent integration

2026-01-29T08:19:28+00:00

Phase 1: Authentication and read-only context - POST /agent/auth/request - request access with name + agent_id - GET /agent/auth/poll - poll for approval status - POST /agent/auth/approve|deny - user approval (browser auth required) - GET /agent/context - 7-day timeline context (agent session required) Phase 1.5: Browser-only agent endpoints (HTML pages) - GET /agent/web/request - request page with token - GET /agent/web/status - status page with polling - GET /agent/web/context - context page with timeline data WebSocket notifications: - GET /ws/notifications - push agent requests to browsers - Approval modal with trust indicators and countdown timer Database: - agents table for registered agent tracking - agent_sessions table for pending/active sessions Co-Authored-By: Claude Opus 4.5

Phase 3: Error handling and security hardening

2026-01-26T17:03:53+00:00

- Handle JSON marshal errors in sqlite.go (log + fallback to empty array) - Add 30s timeout to Google Calendar client initialization - Fix CSRF timing attack by using subtle.ConstantTimeCompare Co-Authored-By: Claude Opus 4.5

Fix all static analysis errors (golangci-lint)

2026-01-26T06:55:58+00:00

- Fix errcheck: handle all error return values in production code - Fix errcheck: handle all error return values in test files - Fix staticcheck: replace deprecated WithCredentialsFile with WithAuthCredentialsFile - Remove unused code: authHeaders, planToEatPlannerItem, planToEatResponse - Use defer func() { _ = x.Close() }() pattern for ignored close errors Co-Authored-By: Claude Opus 4.5

Add CSRF protection and auth unit tests

2026-01-21T01:18:57+00:00

Add CSRF token middleware for state-changing request protection, integrate tokens into templates and HTMX headers, and add unit tests for authentication service and handlers. Co-Authored-By: Claude Opus 4.5

Add session-based authentication

2026-01-20T21:34:33+00:00

Implement secure authentication using scs session manager with SQLite backing store and bcrypt password hashing. - Add users and sessions tables (migration 004) - Create internal/auth package with Service, Middleware, and Handlers - Protect all routes except /login, /logout, /static/* - Add login page template and logout button to dashboard - Default credentials: admin/changeme (configurable via env vars) Co-Authored-By: Claude Opus 4.5