Next Steps & Priority List¶

Open items and future improvements for PIN Gate authentication.

Current Version: v1.4.2

Open GitHub Issues¶

P1 - Immediate¶

#6 Test all protected sites with real browser sessions ¶

Test all 19 protected sites with real browser sessions
Verify cookie persistence across subdomain navigation
Test mobile browsers (iOS Safari, Android Chrome)
Validate error handling (wrong PIN, expired sessions)

#1 Production Hardening - Partially Complete¶

Set production PIN hash (PIN_GATE_PIN_HASH)

Generate persistent secret key (PIN_GATE_SECRET)

python3 -c "import secrets; print(secrets.token_hex(32))"
# Add to .env: PIN_GATE_SECRET=<key>

P2 - Security Enhancements¶

#2 Add rate limiting on /auth/login ¶

Prevent brute force PIN attempts with NGINX rate limiting:

# In http block
limit_req_zone $binary_remote_addr zone=pin_limit:10m rate=5r/m;

# In server block
location = /auth/login {
    limit_req zone=pin_limit burst=3 nodelay;
    proxy_pass http://pin_gate_auth;
}

#3 Add audit logging for authentication attempts ¶

Log authentication attempts (success/failure) with timestamps and IPs
Consider structured logging (JSON) for log aggregation
Add log rotation for auth logs

#5 Add session management endpoints ¶

Add /auth/sessions endpoint to view active sessions (admin only)
Implement session revocation capability
Consider session binding to IP (currently disabled for mobile)

P3 - API Improvements¶

#4 Return JSON 401 for API endpoints ¶

API endpoints currently redirect to PIN page on 401. Should return JSON:

location /api/ {
    auth_request /internal/auth/verify;
    error_page 401 = @api_unauthorized;
    proxy_pass http://backend;
}

location @api_unauthorized {
    default_type application/json;
    return 401 '{"error": "authentication_required", "auth_url": "/auth/pin"}';
}

Affected sites: ky04api, mi20api, testsiteapi, models.nominate.ai

Future Roadmap (No Issues Yet)¶

Health & Monitoring¶

Add Prometheus metrics endpoint (/metrics)
Track: auth attempts, success rate, active sessions, response times

Multi-User Support¶

Replace single PIN with user database
Add user registration/management
Per-user session tracking

Enhanced Authentication¶

OAuth2/OIDC provider support
TOTP 2FA option
WebAuthn/passkey support

Recently Completed¶

v1.4.2 - Use hashed PIN in production, UI improvements (#7)
v1.4.1 - Maintenance cycle, code formatting
v1.4.0 - API key authentication for external clients
v1.3.x - Protected 19 sites across *.nominate.ai
v1.0.0 - Initial implementation, systemd service on port 32202

Known Issues to Investigate¶

Issue	Status	Notes
CDN/Files large downloads	To Test	May need special handling
WebSocket connections	To Test	May need separate auth handling

Quick Reference¶

# Service management
sudo systemctl status cbauth
sudo systemctl restart cbauth
sudo journalctl -u cbauth -f

# NGINX
sudo nginx -t && sudo systemctl reload nginx

# Change PIN (use hash)
read -sp "PIN: " p && echo -n "$p" | sha256sum | cut -d' ' -f1 && unset p
# Update PIN_GATE_PIN_HASH in .env, then restart