cal/strat-gameplay-webapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
bda98b1efe
strat-gameplay-webapp/ACCESS_CONTROL.md
Cal Corum 6e3aad9fdf CLAUDE: Add developer utilities and access control documentation 
Added helper scripts and documentation for improved developer experience:

1. ACCESS_CONTROL.md
   - Comprehensive Discord whitelist documentation
   - Configuration examples and security best practices
   - Troubleshooting guide for common access issues
   - Details both OAuth and test token protection points

2. start-services.sh
   - One-command startup for backend + frontend
   - Logs to logs/ directory with PIDs tracked
   - Displays URLs and helpful information
   - 3-second backend initialization delay

3. stop-services.sh
   - Clean shutdown with process tree killing
   - Removes orphaned processes by pattern matching
   - Graceful TERM followed by KILL if needed
   - Cleans up PID files

These utilities streamline local development by:
- Reducing manual startup steps
- Ensuring clean shutdown (no orphaned processes)
- Providing clear access control guidance

Scripts are now executable and ready to use:
  ./start-services.sh
  ./stop-services.sh

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-26 22:25:19 -06:00

216 lines
4.7 KiB
Markdown
Raw Blame History

# Discord User Access Control
## Overview
The backend now includes Discord ID whitelist functionality to control who can access the system. This is useful for limiting access during testing/beta phases or for private leagues.
## Configuration
### Quick Start
Add this line to your `backend/.env` file:
```bash
# Allow specific Discord users (recommended)
ALLOWED_DISCORD_IDS=123456789012345678,987654321098765432
# OR allow everyone (not recommended for production)
ALLOWED_DISCORD_IDS=*
# OR leave empty to allow everyone (default, not recommended)
ALLOWED_DISCORD_IDS=
```
### Finding Discord User IDs
**Method 1: Enable Developer Mode in Discord**
1. Open Discord Settings → Advanced
2. Enable "Developer Mode"
3. Right-click on a user → "Copy User ID"
**Method 2: From OAuth Response**
- Check backend logs after a user authenticates
- Look for: `Discord ID {id} verified in whitelist`
## How It Works
### Protection Points
The whitelist is checked at **two** authentication points:
1. **Discord OAuth Flow** (`/api/auth/discord/callback`)
- After Discord authenticates the user
- Before creating JWT token
- Returns HTTP 403 if user not in whitelist
2. **Test Token Endpoint** (`/api/auth/token`)
- Development/testing endpoint
- Also checks whitelist
- Returns HTTP 403 if Discord ID not allowed
### Error Response
When access is denied, users see:
```json
{
"detail": "Access denied. Your Discord account is not authorized to access this system."
}
```
## Usage Examples
### Allow Only You and One Tester
```bash
# In backend/.env
ALLOWED_DISCORD_IDS=123456789012345678,987654321098765432
```
### Allow Everyone (Development)
```bash
# Option 1: Use wildcard
ALLOWED_DISCORD_IDS=*
# Option 2: Leave empty
ALLOWED_DISCORD_IDS=
```
### Production Recommendation
```bash
# Explicitly list all authorized users
ALLOWED_DISCORD_IDS=user1_id,user2_id,user3_id
```
## Testing
### Test With Authorized User
```bash
# 1. Add your Discord ID to .env
ALLOWED_DISCORD_IDS=your_discord_id
# 2. Restart backend
./stop-services.sh && ./start-services.sh
# 3. Try to authenticate - should succeed
```
### Test With Unauthorized User
```bash
# 1. Set whitelist to specific IDs (not yours)
ALLOWED_DISCORD_IDS=123456789012345678
# 2. Restart backend
./stop-services.sh && ./start-services.sh
# 3. Try to authenticate - should get 403 error
```
## Monitoring
### Backend Logs
Whitelist checks are logged:
**Allowed:**
```
INFO - Discord ID 123456789012345678 verified in whitelist
INFO - User TestPlayer authenticated successfully
```
**Denied:**
```
WARNING - Discord ID 999999999999999999 not in whitelist - access denied
```
**Whitelist Disabled:**
```
WARNING - Discord whitelist disabled - allowing all users
```
## Security Best Practices
1.**DO** use explicit user IDs in production
2.**DO** keep the whitelist in `.env` (gitignored)
3.**DO** restart backend after changing whitelist
4.**DON'T** use `*` or empty whitelist in production
5.**DON'T** commit Discord IDs to git
6.**DON'T** share your `.env` file
## Troubleshooting
### "Access denied" for authorized user
**Check:**
1. Discord ID is correct (no typos)
2. No extra spaces in `.env`
3. Backend has been restarted
4. Check backend logs for whitelist warnings
**Fix:**
```bash
# Verify your Discord ID
# Right-click your name in Discord → Copy User ID
# Update .env with correct ID
ALLOWED_DISCORD_IDS=your_correct_discord_id
# Restart
./stop-services.sh && ./start-services.sh
```
### Everyone getting access when they shouldn't
**Check:**
1. `ALLOWED_DISCORD_IDS` is not `*`
2. `ALLOWED_DISCORD_IDS` is not empty
3. Backend logs show "verified in whitelist"
**Fix:**
```bash
# Set explicit whitelist
ALLOWED_DISCORD_IDS=your_id,friend_id
# Restart
./stop-services.sh && ./start-services.sh
```
### Test tokens not working
**Remember:** Test token endpoint (`/api/auth/token`) also respects the whitelist!
```bash
# Your test token request must use an allowed Discord ID
{
"user_id": "test-user-1",
"username": "TestPlayer",
"discord_id": "your_whitelisted_discord_id" # Must be in whitelist!
}
```
## Implementation Details
### Code Locations
- **Config**: `backend/app/config.py` - Defines `allowed_discord_ids` setting
- **Auth Routes**: `backend/app/api/routes/auth.py` - Implements `is_discord_id_allowed()` check
- **Discord OAuth**: Line 198-203 - Checks whitelist after Discord auth
- **Test Tokens**: Line 376-380 - Checks whitelist for test tokens
### Whitelist Format
- **Comma-separated**: `id1,id2,id3`
- **Spaces ignored**: `id1, id2, id3` works too
- **Empty/missing**: Allows all users
- **Wildcard**: `*` allows all users
---
**Created**: 2025-01-25
**Author**: Jarvis
**Purpose**: Control testing access via Discord user whitelist
Reference in New Issue View Git Blame Copy Permalink