Context
The web UI currently has no authentication. Every endpoint is reachable by anyone who can connect to the bind address. The default bind is 127.0.0.1, but users routinely run home-LAN services on 0.0.0.0, and the actor field on events defaults to the hard-coded string webui when no user is supplied, which makes the audit trail fictional for anything done through the browser.
Impact
- Anyone on the LAN can read and modify inventory.
- The audit trail (
actor_user_id in events) doesn't reflect real identity, so history queries are misleading.
- The "User" field in the add-item form is honor-system; a malicious or careless visitor can attribute changes to any name.
Proposed direction
Start with HTTP Basic Auth (single credential pair, stored hashed in config.toml):
- Middleware in
internal/web/middleware.go rejects unauthenticated requests with 401 + WWW-Authenticate: Basic.
- Authenticated identity becomes the actor for write events instead of the literal "webui" string (replace the hardcoded values in
handlers.go for rename, create, toggle-missing).
- Remove the "User" field from the add-item form once identity is real.
- Optional follow-up: per-user accounts or OIDC if multi-user becomes a need.
References
Context
The web UI currently has no authentication. Every endpoint is reachable by anyone who can connect to the bind address. The default bind is
127.0.0.1, but users routinely run home-LAN services on0.0.0.0, and the actor field on events defaults to the hard-coded stringwebuiwhen no user is supplied, which makes the audit trail fictional for anything done through the browser.Impact
actor_user_idin events) doesn't reflect real identity, so history queries are misleading.Proposed direction
Start with HTTP Basic Auth (single credential pair, stored hashed in
config.toml):internal/web/middleware.gorejects unauthenticated requests with 401 +WWW-Authenticate: Basic.handlers.gofor rename, create, toggle-missing).References
internal/web/handlers.go(CreateEntity, RenameEntity, ChangeStatus calls).