feat: implement local authentication mode and update related components
This commit is contained in:
Abhimanyu Saharan
@@ -7,7 +7,7 @@
|
||||
|
||||
Mission Control is the **web UI + HTTP API** for operating OpenClaw. It’s where you manage boards, tasks, agents, approvals, and (optionally) gateway connections.
|
||||
|
||||
> Auth note: **Clerk is required for production**. The codebase includes gating so CI/local can run without “real” keys, but real deployments should configure Clerk.
|
||||
> Auth note: Mission Control supports two auth modes: `local` (shared bearer token) and `clerk`.
|
||||
|
||||
## Components
|
||||
|
||||
@@ -48,14 +48,17 @@ Common UI-driven data shapes:
|
||||
- “boards/tasks” views → board/task CRUD + streams.
|
||||
- “activity feed” → activity/events endpoints.
|
||||
|
||||
### 2) Authentication (Clerk)
|
||||
### 2) Authentication (`local` or Clerk)
|
||||
|
||||
- **Frontend**: Clerk is enabled only when a publishable key is present/valid.
|
||||
- Gating/wrappers: `frontend/src/auth/clerkKey.ts`, `frontend/src/auth/clerk.tsx`.
|
||||
- **Frontend → backend**: API calls attach `Authorization: Bearer <token>` when available.
|
||||
- Token injection: `frontend/src/api/mutator.ts` (uses `window.Clerk.session.getToken()`).
|
||||
- **Backend**: validates inbound auth and resolves a user context.
|
||||
- Implementation: `backend/app/core/auth.py` (uses `clerk_backend_api` SDK with `CLERK_SECRET_KEY`).
|
||||
- **Frontend**:
|
||||
- `local`: token entry + token storage (`frontend/src/components/organisms/LocalAuthLogin.tsx`, `frontend/src/auth/localAuth.ts`).
|
||||
- `clerk`: Clerk wrappers/hooks (`frontend/src/auth/clerk.tsx`).
|
||||
- **Frontend → backend**:
|
||||
- API calls attach `Authorization: Bearer <token>` from local mode token or Clerk session token (`frontend/src/api/mutator.ts`).
|
||||
- **Backend**:
|
||||
- `local`: validates `LOCAL_AUTH_TOKEN`.
|
||||
- `clerk`: validates Clerk request state via `clerk_backend_api` + `CLERK_SECRET_KEY`.
|
||||
- Implementation: `backend/app/core/auth.py`.
|
||||
|
||||
### 3) Agent automation surface (`/api/v1/agent/*`)
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
Mission Control is the **web UI + HTTP API** for operating OpenClaw. It’s where you manage boards, tasks, agents, approvals, and (optionally) gateway connections.
|
||||
|
||||
> Auth note: **Clerk is required for now** (current product direction). The codebase includes gating so CI/local can run with placeholders, but real deployments should configure Clerk.
|
||||
> Auth note: Mission Control supports two auth modes: `local` (shared bearer token) and `clerk`.
|
||||
|
||||
At a high level:
|
||||
- The **frontend** is a Next.js app used by humans.
|
||||
@@ -29,10 +29,11 @@ flowchart LR
|
||||
- Routes/pages: `frontend/src/app/*` (Next.js App Router)
|
||||
- API utilities: `frontend/src/lib/*` and `frontend/src/api/*`
|
||||
|
||||
**Auth (Clerk, required)**
|
||||
- Clerk is required for real deployments and currently required by backend config (see `backend/app/core/config.py`).
|
||||
- Frontend uses Clerk when keys are configured; see `frontend/src/auth/clerkKey.ts` and `frontend/src/auth/clerk.tsx`.
|
||||
- Backend authenticates requests using the Clerk SDK and `CLERK_SECRET_KEY`; see `backend/app/core/auth.py`.
|
||||
**Auth (`local` or Clerk)**
|
||||
- `local` mode authenticates a shared bearer token (`LOCAL_AUTH_TOKEN`) and resolves a local user context.
|
||||
- `clerk` mode verifies Clerk JWTs using `CLERK_SECRET_KEY`.
|
||||
- Frontend mode switch + wrappers: `frontend/src/auth/clerk.tsx`, `frontend/src/auth/localAuth.ts`, and `frontend/src/components/providers/AuthProvider.tsx`.
|
||||
- Backend mode switch: `backend/app/core/config.py` and `backend/app/core/auth.py`.
|
||||
|
||||
|
||||
### Backend (FastAPI)
|
||||
@@ -64,9 +65,13 @@ Mission Control can call into an OpenClaw Gateway over WebSockets.
|
||||
2. Frontend calls backend endpoints under `/api/v1/*`.
|
||||
3. Backend reads/writes Postgres.
|
||||
|
||||
### Auth (Clerk — required)
|
||||
- **Frontend** uses Clerk when keys are configured (see `frontend/src/auth/*`).
|
||||
- **Backend** authenticates requests using the Clerk SDK and `CLERK_SECRET_KEY` (see `backend/app/core/auth.py`).
|
||||
### Auth (`local` or Clerk)
|
||||
- **Frontend**:
|
||||
- `local`: token entry screen + session storage token (`frontend/src/components/organisms/LocalAuthLogin.tsx`, `frontend/src/auth/localAuth.ts`).
|
||||
- `clerk`: Clerk wrappers/hooks (`frontend/src/auth/clerk.tsx`).
|
||||
- **Backend**:
|
||||
- `local`: validates `Authorization: Bearer <LOCAL_AUTH_TOKEN>`.
|
||||
- `clerk`: validates Clerk request state with SDK + `CLERK_SECRET_KEY`.
|
||||
### Agent access (X-Agent-Token)
|
||||
Automation/agents can use the “agent” API surface:
|
||||
- Endpoints under `/api/v1/agent/*` (router: `backend/app/api/agent.py`).
|
||||
@@ -92,7 +97,7 @@ Backend:
|
||||
Frontend:
|
||||
- `frontend/src/app/` — Next.js routes
|
||||
- `frontend/src/components/` — UI components
|
||||
- `frontend/src/auth/` — Clerk gating/wrappers
|
||||
- `frontend/src/auth/` — auth mode helpers (`clerk` and `local`)
|
||||
- `frontend/src/lib/` — utilities + API base
|
||||
|
||||
## Where to start reading code
|
||||
@@ -106,7 +111,7 @@ Backend:
|
||||
Frontend:
|
||||
1. `frontend/src/app/*` — main UI routes
|
||||
2. `frontend/src/lib/api-base.ts` — backend calls
|
||||
3. `frontend/src/auth/*` — Clerk integration (gated for CI/local)
|
||||
3. `frontend/src/auth/*` — auth mode integration (`local` + Clerk)
|
||||
|
||||
## Related docs
|
||||
- Self-host (Docker Compose): see repo root README: [Quick start (self-host with Docker Compose)](../../README.md#quick-start-self-host-with-docker-compose)
|
||||
|
||||
@@ -110,49 +110,58 @@ Instead, it supports an optional user-managed env file:
|
||||
|
||||
If present, Compose will load it.
|
||||
|
||||
## Clerk (auth) notes
|
||||
## Authentication modes
|
||||
|
||||
Clerk is currently required.
|
||||
Mission Control supports two deployment auth modes:
|
||||
|
||||
### Frontend (Clerk keys)
|
||||
- `AUTH_MODE=local`: shared bearer token auth (self-host default)
|
||||
- `AUTH_MODE=clerk`: Clerk JWT auth
|
||||
|
||||
Create `frontend/.env` (this file is **not** committed; `compose.yml` loads it if present):
|
||||
### Local mode (self-host default)
|
||||
|
||||
Set in `.env` (repo root):
|
||||
|
||||
```env
|
||||
# Frontend → Backend
|
||||
NEXT_PUBLIC_API_URL=http://localhost:8000
|
||||
|
||||
# Frontend → Clerk
|
||||
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=YOUR_PUBLISHABLE_KEY
|
||||
CLERK_SECRET_KEY=YOUR_SECRET_KEY
|
||||
|
||||
# Optional (but recommended) redirects
|
||||
NEXT_PUBLIC_CLERK_SIGN_IN_FORCE_REDIRECT_URL=/boards
|
||||
NEXT_PUBLIC_CLERK_SIGN_UP_FORCE_REDIRECT_URL=/boards
|
||||
NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL=/boards
|
||||
NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL=/boards
|
||||
AUTH_MODE=local
|
||||
LOCAL_AUTH_TOKEN=replace-with-strong-random-token
|
||||
```
|
||||
|
||||
### Backend (auth)
|
||||
Set frontend mode (optional override in `frontend/.env`):
|
||||
|
||||
The backend authenticates requests using the Clerk SDK and **`CLERK_SECRET_KEY`** (see `backend/app/core/auth.py`).
|
||||
```env
|
||||
NEXT_PUBLIC_AUTH_MODE=local
|
||||
NEXT_PUBLIC_API_URL=http://localhost:8000
|
||||
```
|
||||
|
||||
Create `backend/.env` (this file is **not** committed) with at least:
|
||||
Users enter `LOCAL_AUTH_TOKEN` in the local login screen.
|
||||
|
||||
### Clerk mode
|
||||
|
||||
Set in `.env` (repo root):
|
||||
|
||||
```env
|
||||
AUTH_MODE=clerk
|
||||
```
|
||||
|
||||
Create `backend/.env` with at least:
|
||||
|
||||
```env
|
||||
CLERK_SECRET_KEY=sk_test_your_real_key
|
||||
|
||||
# Optional tuning
|
||||
CLERK_API_URL=https://api.clerk.com
|
||||
CLERK_VERIFY_IAT=true
|
||||
CLERK_LEEWAY=10.0
|
||||
```
|
||||
|
||||
Then either:
|
||||
1) update `compose.yml` to load `backend/.env` (recommended), or
|
||||
2) pass the values via `services.backend.environment`.
|
||||
Create `frontend/.env` with at least:
|
||||
|
||||
**Security:** treat `CLERK_SECRET_KEY` like a password. Do not commit it.
|
||||
```env
|
||||
NEXT_PUBLIC_AUTH_MODE=clerk
|
||||
NEXT_PUBLIC_API_URL=http://localhost:8000
|
||||
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_your_real_key
|
||||
CLERK_SECRET_KEY=sk_test_your_real_key
|
||||
```
|
||||
|
||||
**Security:** treat `LOCAL_AUTH_TOKEN` and `CLERK_SECRET_KEY` like passwords. Do not commit them.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
|
||||
@@ -59,8 +59,10 @@ Recommended approach:
|
||||
|
||||
Secrets guidelines:
|
||||
|
||||
- **Clerk auth is required for now**: you must configure Clerk keys/JWKS for the app to work.
|
||||
- Never commit Clerk secret key.
|
||||
- Choose auth mode explicitly:
|
||||
- `AUTH_MODE=local`: set a strong `LOCAL_AUTH_TOKEN`
|
||||
- `AUTH_MODE=clerk`: configure Clerk keys
|
||||
- Never commit `LOCAL_AUTH_TOKEN` or Clerk secret key.
|
||||
- Prefer passing secrets as environment variables from the host (or use Docker secrets if you later
|
||||
migrate to Swarm/K8s).
|
||||
- Rotate secrets if they ever hit logs.
|
||||
@@ -75,7 +77,7 @@ sudo git clone https://github.com/abhi1693/openclaw-mission-control.git mission-
|
||||
cd mission-control
|
||||
|
||||
cp .env.example .env
|
||||
# edit .env with real values (domains, Clerk keys, etc.)
|
||||
# edit .env with real values (domains, auth mode + secrets, etc.)
|
||||
|
||||
docker compose -f compose.yml --env-file .env up -d --build
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user