Add Dec 28 session - APIv2 Auth + Portal Alignment verification and decisions
This commit is contained in:
parent
8922c80995
commit
4cb41a66a4
@ -1,4 +1,4 @@
|
||||
# Session Log – zlh-grind
|
||||
# Session Log — zlh-grind
|
||||
|
||||
Append-only execution log for GPT-assisted development work.
|
||||
Do not rewrite or reorder past entries.
|
||||
@ -103,3 +103,27 @@ Status: **Root cause resolved; implementation pending agent patch & installer up
|
||||
Status: **Dev container SSH working internally; bastion public access blocked at network layer.**
|
||||
|
||||
---
|
||||
|
||||
## 2025-12-28 — APIv2 Auth + Portal Alignment Session
|
||||
|
||||
### Work Completed
|
||||
- APIv2 auth route verified functional (JWT-based)
|
||||
- bcrypt password verification confirmed
|
||||
- `/api/instances` endpoint verified working without auth
|
||||
- Portal/API boundary clarified: portal owns identity UX, API owns validation + DB
|
||||
- Confirmed no CSRF or cookie-based auth required (stateless JWT)
|
||||
|
||||
### Key Findings
|
||||
- Portal still contains APIv1 / Pterodactyl assumptions
|
||||
- `zlh-grind` is documentation + constraint repo only (no code)
|
||||
- Instances endpoint behavior was correct; earlier failures were route misuse
|
||||
|
||||
### Decisions
|
||||
- APIv2 auth will remain stateless (JWT only)
|
||||
- No CSRF protection will be implemented
|
||||
- Portal must fully remove APIv1 and Pterodactyl patterns
|
||||
|
||||
### Next Actions
|
||||
- Enforce `requireAuth` selectively in APIv2
|
||||
- Update portal login to match APIv2 contract
|
||||
- Track portal migration progress in OPEN_THREADS
|
||||
|
||||
Loading…
Reference in New Issue
Block a user