Reviewing files that changed from the base of the PR and between b4c857d and 139c9ea.

• ui/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

• api/v2/api.yaml (4 hunks)
• internal/common/config/config.go (3 hunks)
• internal/common/config/config_test.go (1 hunks)
• internal/common/config/definition.go (2 hunks)
• internal/common/config/loader.go (5 hunks)
• internal/common/config/loader_test.go (6 hunks)
• internal/core/auth/context.go (1 hunks)
• internal/core/auth/role.go (1 hunks)
• internal/core/auth/role_test.go (1 hunks)
• internal/core/auth/store.go (1 hunks)
• internal/core/auth/user.go (1 hunks)
• internal/persistence/fileuser/store.go (1 hunks)
• internal/persistence/fileuser/store_test.go (1 hunks)
• internal/service/auth/service.go (1 hunks)
• internal/service/auth/service_test.go (1 hunks)
• internal/service/frontend/api/v2/api.go (8 hunks)
• internal/service/frontend/api/v2/auth.go (1 hunks)
• internal/service/frontend/api/v2/dagruns.go (8 hunks)
• internal/service/frontend/api/v2/dags.go (8 hunks)
• internal/service/frontend/api/v2/users.go (1 hunks)
• internal/service/frontend/auth/builtin.go (1 hunks)
• internal/service/frontend/server.go (4 hunks)
• internal/service/frontend/templates.go (2 hunks)
• internal/service/frontend/templates/base.gohtml (2 hunks)
• ui/index.html (1 hunks)
• ui/package.json (1 hunks)
• ui/src/App.tsx (3 hunks)
• ui/src/api/v2/schema.ts (3 hunks)
• ui/src/components/ChangePasswordModal.tsx (1 hunks)
• ui/src/components/ProtectedRoute.tsx (1 hunks)
• ui/src/components/UserMenu.tsx (1 hunks)
• ui/src/components/ui/dropdown-menu.tsx (1 hunks)
• ui/src/contexts/AuthContext.tsx (1 hunks)
• ui/src/contexts/ConfigContext.tsx (2 hunks)
• ui/src/features/system-status/components/ResourceChart.tsx (3 hunks)
• ui/src/hooks/api.ts (2 hunks)
• ui/src/layouts/Layout.tsx (2 hunks)
• ui/src/lib/fetchJson.ts (1 hunks)
• ui/src/menu.tsx (4 hunks)
• ui/src/pages/login.tsx (1 hunks)
• ui/src/pages/users/ResetPasswordModal.tsx (1 hunks)
• ui/src/pages/users/UserFormModal.tsx (1 hunks)
• ui/src/pages/users/index.tsx (1 hunks)

ui/src/features/system-status/components/ResourceChart.tsx (1)

100-102: Visual improvements look good.

The gradient definition is correctly structured with standard offsets (0% to 100%), and the strokeWidth={2} addition makes the chart line more visible. The fill reference properly uses the dynamic gradientId.

Also applies to: 125-126

ui/src/hooks/api.ts (1)

11-24: LGTM! Clean middleware implementation.

The auth middleware correctly reads the token from localStorage and attaches it as a Bearer token to all API requests. This approach is standard for JWT-based authentication.

ui/src/contexts/AuthContext.tsx (2)

34-117: Well-structured authentication context.

The AuthProvider implementation is clean and handles the authentication lifecycle properly. Token persistence, role-based permissions, and graceful error handling are all well implemented.

Note: Storing JWT tokens in localStorage is vulnerable to XSS attacks. This is acceptable for many use cases, but be aware that if an XSS vulnerability exists elsewhere in the application, the token could be stolen. Consider httpOnly cookies for enhanced security in future iterations.

---

128-149: Smart permission hook design.

The permission hooks elegantly handle both builtin and external auth modes, falling back to config permissions when appropriate. The role hierarchy comparison ensures consistent permission checks.

ui/src/components/ui/dropdown-menu.tsx (1)

1-197: Excellent component implementation.

The dropdown menu wrapper follows best practices for Radix UI integration:

• Proper forwardRef usage for all components
• Dark mode support with appropriate Tailwind classes
• Compact, developer-centric styling as per guidelines
• Keyboard navigation and accessibility supported by Radix primitives
• Clean composition with optional inset props where needed

Based on coding guidelines: The component follows the UI design principles with compact sizing (py-1.5, px-2), dark mode support, and maintains keyboard navigation through Radix UI's built-in accessibility features.

ui/src/layouts/Layout.tsx (1)

14-14: LGTM! Clean integration of UserMenu.

The UserMenu is properly imported and rendered in the header's right-side control cluster, following the existing pattern alongside ThemeToggle. The placement is logical and consistent with the layout structure.

Also applies to: 261-261

ui/index.html (1)

50-52: LGTM! Development configuration.

The additions of usersDir and authMode to the config object are appropriate for development/testing. These values align with the new authentication feature and follow the existing path patterns.

Note: This appears to be a development configuration file. Production values would be templated from the backend service configuration.

ui/package.json (1)

76-76: No action needed on @radix-ui/react-dropdown-menu version.

Version 2.1.16 is the latest stable release, and no known security vulnerabilities are reported for this package. The caret constraint allows automatic minor and patch updates within the 2.x range.

internal/service/frontend/templates.go (1)

63-63: LGTM!

The additions properly expose AuthMode and UsersDir configuration to templates through well-defined template functions.

Also applies to: 138-143

internal/service/frontend/templates/base.gohtml (1)

22-22: LGTM!

Template changes correctly expose authMode and usersDir to the frontend configuration object.

Also applies to: 38-38

ui/src/menu.tsx (1)

3-3: LGTM!

The admin-gated User Management navigation item is properly implemented using the useIsAdmin() hook, consistent with existing patterns in the codebase.

Also applies to: 14-14, 70-70, 222-230

internal/common/config/config_test.go (1)

197-312: LGTM! Comprehensive test coverage for builtin auth validation.

The test cases thoroughly cover:

• Missing required fields (usersDir, token secret, admin username)
• Valid builtin auth configuration
• Validation skipping for non-builtin auth modes

All tests properly use t.Parallel() and appropriate assertion methods.

api/v2/api.yaml (4)

63-162: LGTM! Auth endpoints are well-defined.

The authentication endpoints follow RESTful conventions:

• Login is properly marked as public with security: []
• Me and change-password endpoints require authentication (use default security)
• Response schemas are complete with appropriate field types

---

167-436: LGTM! User management endpoints follow best practices.

The user management endpoints are well-designed:

• All require authentication and admin role (per descriptions)
• DELETE endpoint includes self-deletion protection
• PATCH for updates (partial modification) is appropriate
• Response codes are comprehensive (401, 403, 404, 409)
• Username conflict handling (409) is properly defined

---

3269-3426: LGTM! Auth schemas are well-defined with appropriate constraints.

The authentication and user management schemas include:

• Sensible password minimum length (8 characters)
• Username length constraints (1-64 characters)
• Clear role hierarchy (admin → manager → operator → viewer)
• Proper timestamp fields for audit trail (createdAt, updatedAt)

---

3428-3432: Add explicit security requirements to sensitive endpoints that require authentication.

The global security setting allows anonymous access via the empty object {}. While /auth/login correctly overrides this with security: [], sensitive endpoints like user deletion and password reset lack explicit security declarations and inherit the permissive global setting. This creates a spec/implementation mismatch: endpoints document "requires admin role" with 401/403 response codes, but the OpenAPI spec itself permits anonymous access.

Add security: declarations to endpoints requiring authentication (POST/PUT/DELETE operations on /users, /dags, etc.) to explicitly enforce authentication:

security:
  - apiToken: []
  - basicAuth: []

Endpoints intentionally supporting anonymous access (like /health) should explicitly declare security: [].

ui/src/contexts/ConfigContext.tsx (1)

16-16: Empty string in AuthMode is necessary as the default/uninitialized state.

The backend Go code defines AuthMode with only three named constants ("none", "builtin", "oidc"), but the config loader test TestLoad_AuthMode/AuthModeDefaultEmpty explicitly confirms that when no auth mode is configured, the backend defaults to an empty string: AuthMode(""). The frontend's TypeScript union includes '' to accurately represent this default state that the backend can send. While the UI treats all non-'builtin' values identically (empty string, 'none', and 'oidc' are functionally equivalent in permission checks), the empty string is semantically distinct as the uninitialized/unconfigured state.

internal/core/auth/role_test.go (2)

124-136: LGTM: Defensive mutation test.

The test correctly verifies that modifying the returned slice doesn't affect internal state, which is good defensive programming.

---

1-136: Fix: Run go fmt to resolve pipeline failure.

The CI pipeline is failing because this file needs formatting.

Run the following command to fix:

go fmt ./internal/core/auth/role_test.go

⛔ Skipped due to learnings

Learnt from: CR
Repo: dagu-org/dagu PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-04T10:34:17.051Z
Learning: Applies to **/*.go : Keep Go files `gofmt`/`goimports` clean; use tabs, PascalCase for exported symbols (`SchedulerClient`), lowerCamelCase for locals, and `Err...` names for package-level errors

Learnt from: CR
Repo: dagu-org/dagu PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-04T10:34:17.051Z
Learning: Applies to **/*_test.go : Co-locate Go tests as `*_test.go`; favour table-driven cases and cover failure paths

Learnt from: CR
Repo: dagu-org/dagu PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-04T10:34:17.051Z
Learning: Applies to **/*.go : Repository linting relies on `golangci-lint`; prefer idiomatic Go patterns, minimal global state, and structured logging helpers in `internal/common`

Learnt from: CR
Repo: dagu-org/dagu PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-04T10:34:17.051Z
Learning: Applies to **/*_test.go : Use `stretchr/testify/require` and shared fixtures from `internal/test` instead of duplicating mocks

Learnt from: CR
Repo: dagu-org/dagu PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-04T10:34:17.051Z
Learning: `make test` (or `make test-coverage`) executes the Go suite via `gotestsum`; append `TEST_TARGET=./internal/...` to focus packages

ui/src/components/UserMenu.tsx (1)

48-94: LGTM: Clean component implementation.

The component correctly guards rendering based on auth mode, handles user interactions, and follows the compact UI design guidelines with proper dark mode support.

ui/src/components/ProtectedRoute.tsx (1)

11-37: LGTM: Solid route protection implementation.

The component correctly handles all auth states (loading, unauthenticated, role-based) and follows React Router best practices by preserving the target location for post-login redirect.

ui/src/pages/login.tsx (1)

44-97: LGTM: Clean form implementation.

The form handling, validation, error display, and loading states follow best practices and align with the UI guidelines for compact design.

internal/core/auth/user.go (1)

12-75: LGTM: Well-designed user model with proper security.

The implementation correctly excludes the password hash from JSON serialization (Line 20), generates UUIDs for user IDs, and provides clean conversion methods for storage. The separation between User and UserForStorage is a good design choice.

ui/src/pages/users/UserFormModal.tsx (3)

31-36: LGTM: Well-structured role definitions.

The role definitions with descriptions provide good UX and align with the backend role system.

---

48-59: LGTM: Proper form state management.

The effect correctly resets form state when the user prop or modal visibility changes, preventing stale data issues.

---

61-113: LGTM: Robust form submission with validation.

The form correctly validates password length, handles both create and update modes, and provides appropriate error feedback. The API error handling extracts messages from the response structure.

internal/core/auth/context.go (2)

8-26: LGTM: Idiomatic Go context utilities.

The implementation follows Go best practices with a private context key type to avoid collisions and provides both safe (UserFromContext) and panic-on-error (MustUserFromContext) accessors.

---

28-36: Remove or defer this comment—MustUserFromContext has no callers in the codebase.

The function is currently unused. If it's intended as a public API for external use, keep it with the panic behavior and existing documentation. If it's internal, remove it or add usages; the middleware protection requirement cannot be verified without actual call sites.

ui/src/pages/users/ResetPasswordModal.tsx (3)

31-41: LGTM: Clean form lifecycle management.

The reset and close handlers properly clear all form state, preventing stale data when reopening the modal.

---

43-86: LGTM: Comprehensive validation and error handling.

The form correctly validates password requirements, handles API errors with proper message extraction, and provides success feedback with auto-close functionality.

---

88-161: LGTM: Accessible and user-friendly UI.

The modal follows the compact design guidelines with proper labeling, placeholder text, autocomplete attributes, and keyboard navigation support.

internal/persistence/fileuser/store_test.go (5)

96-122: LGTM!

The duplicate username test correctly verifies the unique constraint enforcement and expected error type.

---

124-162: LGTM!

Comprehensive coverage of not-found scenarios for all relevant store operations.

---

164-197: LGTM!

Solid test for index rebuild on store restart - validates persistence layer correctly reloads state from disk.

---

199-204: LGTM!

Validates the empty baseDir error handling.

---

206-237: LGTM!

Good verification of filesystem side effects - confirms files are properly created and cleaned up.

ui/src/App.tsx (3)

9-10: LGTM!

Correct imports for authentication scaffolding with AuthProvider and ProtectedRoute.

---

129-137: Nested ProtectedRoute for admin role is correct but slightly redundant.

The outer ProtectedRoute already ensures authentication. The inner one re-checks auth before verifying the admin role. This works correctly but adds minor overhead. Consider whether the ProtectedRoute component could accept requiredRole at the outer level to simplify, though the current approach is explicit and clear.

---

97-147: LGTM!

Provider nesting order is correct - AuthProvider is placed inside ConfigContext.Provider since it depends on useConfig() for API URL.

ui/src/pages/users/index.tsx (2)

135-218: LGTM!

Table implementation follows coding guidelines with compact row heights, proper dark mode support, and appropriate loading/empty states.

---

220-257: LGTM!

Modal integrations are correctly wired with proper state management and list refresh on success.

internal/service/auth/service_test.go (8)

16-42: LGTM!

Well-structured test helper with proper cleanup. Using BcryptCost: 4 for faster test execution is a good practice.

---

44-87: LGTM!

Good coverage of user creation including password hashing verification and weak password rejection.

---

89-125: LGTM!

Good security practice - returning the same ErrInvalidCredentials for both wrong password and non-existent user prevents user enumeration attacks.

---

127-209: LGTM!

Comprehensive token lifecycle testing including generation, validation, and claim extraction.

---

211-267: LGTM!

Good password change coverage including old password verification and post-change authentication tests.

---

269-329: LGTM!

Good coverage of admin provisioning including idempotency and password generation.

---

360-381: LGTM!

Critical self-deletion protection is properly tested, preventing users from deleting their own accounts.

---

452-508: LGTM!

Good distinction between admin ResetPassword (no old password) and user ChangePassword (requires old password) with proper validation.

internal/core/auth/store.go (2)

24-52: LGTM!

Clean repository interface with proper context support, documented error contracts, and concurrent-safety requirement.

---

11-22: LGTM!

Well-defined error sentinel values with clear documentation. These enable consistent error handling across the codebase. Both ErrInvalidUsername and ErrInvalidUserID are actively used in the fileuser implementation, confirming their necessity.

internal/service/frontend/auth/builtin.go (4)

18-50: LGTM! Clean middleware implementation.

The authentication middleware correctly validates JWT tokens, handles public paths efficiently with O(1) lookup, and properly injects the user into the request context. Error handling with structured JSON responses is consistent.

---

65-104: LGTM! Role-based authorization is well-structured.

The middleware correctly distinguishes between authentication (401) and authorization (403) failures. The convenience wrappers align with the role hierarchy defined in role.go.

---

106-119: LGTM!

Bearer token extraction follows RFC 6750 conventions correctly.

---

132-142: LGTM!

The error response structure is clean and consistent. Ignoring the encode error is acceptable here since we're already in an error path.

internal/service/frontend/api/v2/auth.go (3)

17-58: LGTM! Login endpoint is well-implemented.

The endpoint properly handles disabled auth, validates request body, correctly maps authentication errors to 401, and returns appropriate token metadata. The immediate token validation after generation ensures the token is valid before returning it to the client.

---

60-73: LGTM!

Clean implementation that correctly retrieves the user from context.

---

132-144: toAPIUsers is actually used; only formatTime may be unused.

toAPIUsers is called in internal/service/frontend/api/v2/users.go:37, so it is not unused. However, formatTime in auth.go does not appear to be called within that file or elsewhere in the API layer. A separate formatTime function exists in internal/cmd/migrator.go with its own usage. If the one in auth.go is not needed, consider removing it.

internal/service/frontend/server.go (3)

55-72: LGTM! Clean API options pattern.

The conditional auth service initialization and option passing pattern is well-structured. Graceful degradation (logging error but continuing) allows the server to start even if auth initialization fails.

---

118-129: Security consideration: auto-generated password logged in plaintext.

Logging the auto-generated admin password could expose it if logs are stored, shipped to a log aggregation service, or accessible to unauthorized users. Consider alternatives:

1. Write to a separate bootstrap file with restricted permissions
2. Output only to stderr (not structured logs) on first run
3. Require password to be set via environment variable

The current approach is acceptable for initial setup convenience, but ensure operators understand the security implications.

---

300-303: Document v1 API deprecation when auth is enabled.

When any auth mode is enabled, the v1 API becomes unavailable. This is a breaking change for users migrating to builtin auth. Ensure this is documented in release notes or migration guides.

internal/core/auth/role.go (4)

8-27: LGTM! Well-documented role hierarchy.

The role definitions are clear with good documentation explaining the permission hierarchy. Using const with typed string ensures type safety.

---

29-37: LGTM!

Returning a copy prevents external mutation of the internal roles slice.

---

39-66: LGTM!

Role capability methods correctly implement the documented hierarchy. The explicit switch/comparison approach is clear and maintainable.

---

68-76: LGTM!

The error message helpfully lists valid role options, improving developer experience.

internal/common/config/loader.go (3)

208-241: LGTM! Auth configuration loading is well-structured.

The configuration properly handles nested structs with nil checks, parses TTL duration with error handling, and records warnings for invalid values.

---

244-251: LGTM!

Sensible defaults for token TTL (24h) and admin username ("admin") are applied when not explicitly configured.

---

432-434: LGTM!

UsersDir default follows the established pattern for other data directories.

internal/common/config/definition.go (2)

160-184: LGTM! Clean struct definitions for builtin authentication.

The new authentication configuration types are well-structured with appropriate mapstructure tags. The hierarchical organization (AuthDef → AuthBuiltinDef → AdminConfigDef/TokenConfigDef) provides clear separation of concerns.

---

219-219: UsersDir addition aligns with the builtin auth feature.

The new UsersDir field properly extends PathsDef to support file-based user persistence.

internal/common/config/loader_test.go (1)

831-956: Comprehensive test coverage for new auth modes.

The tests appropriately cover:

• All three auth modes (none, builtin, OIDC)
• Environment variable loading
• Default TTL behavior (24h)
• Empty password handling
• YAML and environment-based configuration

internal/service/frontend/api/v2/api.go (1)

53-67: Well-designed AuthService interface for dependency injection.

The interface provides a clean abstraction for authentication operations, enabling testability and separation of concerns.

internal/common/config/config.go (3)

130-140: Clean AuthMode type definition with well-documented constants.

The enum-like pattern with typed constants is idiomatic Go.

---

151-167: AuthBuiltin and related config types are well-structured.

The separation of AdminConfig (initial admin credentials) and TokenConfig (JWT settings) is a clean design.

---

327-353: Thorough validation for builtin authentication prerequisites.

The validation correctly ensures:

• UsersDir is set when builtin auth is enabled
• Admin username is configured
• Token secret is provided
• Token TTL is positive

The error messages are clear and actionable.

internal/service/frontend/api/v2/users.go (4)

16-39: ListUsers handler follows consistent patterns.

Proper checks for auth service availability and admin role, with appropriate error responses.

---

42-96: CreateUser handler with comprehensive error handling.

Good coverage of edge cases: nil body, invalid role, existing username, and weak password.

---

191-233: DeleteUser correctly prevents self-deletion.

The handler properly extracts the current user from context and passes their ID to the service layer for the self-deletion check.

---

236-278: ResetUserPassword handler is well-implemented.

Proper validation and error handling for user not found and weak password scenarios.

internal/persistence/fileuser/store.go (6)

1-26: LGTM! Well-structured constants and package setup.

The permission constants (0750 for directory, 0600 for files) follow security best practices for sensitive user data.

---

31-73: LGTM! Clean initialization with proper validation.

The constructor properly validates input, creates the directory with appropriate permissions, and builds the initial index.

---

129-165: LGTM! Create operation handles conflicts correctly.

The implementation properly checks for both username and ID conflicts before persisting, and the write-then-index order ensures crash safety (rebuildIndex will recover from files).

---

167-187: Good use of atomic file writes.

The temp-file + rename pattern ensures crash safety and prevents partial writes from corrupting user data.

---

232-255: LGTM! List operation handles concurrent modifications gracefully.

The implementation correctly releases the lock between collecting IDs and loading users, and gracefully skips users that may have been deleted concurrently.

---

257-300: LGTM! Update operation with proper rollback on failure.

The implementation correctly handles username changes with conflict detection and rolls back the index if the file write fails.

ui/src/api/v2/schema.ts (2)

1-4: Auto-generated file - minimal review required.

This file is auto-generated from OpenAPI specifications. The authentication and user management schemas look correct and comprehensive with proper error handling (401, 403, 404, 409) for different scenarios.

---

4062-4067: UserRole enum values are consistent with backend.

The role hierarchy (admin, manager, operator, viewer) aligns with the backend RBAC implementation.

internal/service/auth/service.go (6)

20-38: LGTM! Appropriate security constants and error definitions.

• BCrypt cost of 12 is appropriate for production use
• Minimum password length of 8 is reasonable
• 24-hour token TTL is a sensible default

---

97-117: LGTM! JWT token generation is properly implemented.

The implementation correctly sets standard claims (Subject, IssuedAt, ExpiresAt) and validates the secret before signing.

---

119-145: LGTM! Token validation includes algorithm confusion protection.

The signing method verification at line 126 prevents algorithm confusion attacks where an attacker might try to use a different signing algorithm.

---

309-340: LGTM! Safe admin bootstrap with secure password generation.

The implementation correctly creates an admin user only when no users exist, and uses cryptographic randomness for password generation when no password is provided.

---

350-357: LGTM! Secure password generation using crypto/rand.

The implementation correctly uses the cryptographically secure random source and base64 URL encoding for safe characters.

---

209-245: LGTM! UpdateUser properly validates optional fields.

The implementation correctly handles partial updates, validating role and password only when provided.

Reviewing files that changed from the base of the PR and between 139c9ea and 2471155.

• internal/common/config/loader_test.go (6 hunks)
• internal/core/auth/role_test.go (1 hunks)
• internal/persistence/fileuser/store.go (1 hunks)
• internal/persistence/fileuser/store_test.go (1 hunks)
• internal/service/auth/service_test.go (1 hunks)
• internal/service/frontend/api/v2/auth.go (1 hunks)
• ui/src/layouts/Layout.tsx (4 hunks)

• internal/core/auth/role_test.go

• GitHub Check: Test on ubuntu-latest
• GitHub Check: Build

ui/src/layouts/Layout.tsx (4)

12-12: LGTM! Clean integration of authentication context and UI.

The new imports integrate cleanly with the existing layout structure, adding authentication-aware behavior and user management UI.

Also applies to: 15-15

---

233-240: LGTM! Conditional logic correctly handles builtin auth and remote nodes.

The OR condition appropriately hides the remote node selector when:

• Builtin auth is enabled (local-only authentication), OR
• No remote nodes are configured

This ensures the selector only appears when remote nodes are both available and supported by the authentication mode.

---

265-265: LGTM! UserMenu integrated cleanly into the header.

The UserMenu component is positioned logically alongside the ThemeToggle and handles its own visibility logic internally, keeping the layout code clean.

---

82-82: No issues found. The ConfigContext is properly initialized with a Config value passed as a prop to the App component (line 29: function App({ config }: Props)) and provided to all descendants via ConfigContext.Provider (line 95). The config parameter is a typed prop (not optional), ensuring config.authMode is safely accessible in Layout.tsx without null/undefined checks.

internal/persistence/fileuser/store_test.go (5)

96-122: LGTM!

The duplicate username test correctly validates the unique constraint enforcement.

---

124-162: LGTM!

The not-found test cases provide thorough coverage of error handling paths.

---

164-197: LGTM!

The index rebuild test correctly simulates restart behavior and validates persistence.

---

199-204: LGTM!

The empty baseDir test correctly validates input validation.

---

206-237: LGTM!

The file existence test correctly validates filesystem side effects of Create and Delete operations.

internal/service/frontend/api/v2/auth.go (4)

59-72: LGTM!

The GetCurrentUser implementation correctly retrieves the authenticated user from context with proper error handling.

---

74-118: LGTM!

The ChangePassword implementation provides comprehensive error handling for authentication, password mismatch, and weak password scenarios.

---

120-129: LGTM!

The toAPIUser conversion correctly maps all required fields from the core model to the API representation.

---

131-138: LGTM!

The toAPIUsers helper correctly converts a slice with proper preallocation for efficiency.

internal/service/auth/service_test.go (2)

16-42: LGTM!

The test setup helper follows best practices with proper cleanup, test-specific configuration (low bcrypt cost for speed), and t.Helper() marking.

---

44-508: LGTM!

The test suite provides comprehensive coverage of the authentication service, including positive cases, error handling, password validation, admin user management, and CRUD operations. The tests follow best practices with proper error checking and verification.

internal/persistence/fileuser/store.go (11)

19-40: LGTM!

The Store structure and constants follow security best practices with restrictive file permissions (0600 for files, 0750 for directories) and proper thread-safety design using RWMutex.

---

45-73: LGTM!

The constructor properly validates inputs, initializes the store, creates the directory if needed, and builds the initial index with appropriate error handling.

---

75-107: LGTM!

The index rebuild implementation is resilient to corrupted files and properly handles locking. The decision to continue on bad files (line 99) is reasonable for recovery scenarios.

---

109-122: LGTM!

The file loading helper properly uses error wrapping with %w, which is essential for the error checking in GetByID and Delete.

---

124-127: LGTM!

Simple helper with correct path construction.

---

129-165: LGTM!

The Create method provides thorough validation and properly enforces uniqueness constraints before updating indexes.

---

167-187: LGTM!

The atomic write pattern using temp file + rename is correct and provides crash-safety. Cleanup on failure is properly handled.

---

215-230: LGTM!

GetByUsername correctly delegates to GetByID after index lookup with proper validation.

---

232-255: LGTM!

The List implementation correctly releases the lock before loading files and gracefully handles externally deleted files.

---

257-300: LGTM!

The Update method handles username changes correctly with conflict detection and provides rollback on write failure for consistency.

---

336-341: LGTM!

The Count method correctly returns the index size under read lock.

internal/common/config/loader_test.go (5)

162-165: Builtin auth defaults in env-based config look correct.

Expecting Builtin: AuthBuiltin{Admin: AdminConfig{Username: "admin"}, Token: TokenConfig{TTL: 24 * time.Hour}} here nicely encodes the default admin username and token TTL while leaving secret/password at zero values, which matches the intended builtin defaults and keeps the struct shape explicit in the assertion.

---

187-187: UsersDir derived from DataDir (env) is a good invariant to lock in.

Asserting UsersDir: filepath.Join(testPaths, "data", "users") here confirms the new UsersDir derivation from DataDir under env-driven config, aligning it with the other derived path conventions.

---

374-377: Builtin auth defaults populated even when YAML omits builtin block.

Including the Builtin block with default admin username and 24h token TTL in the YAML-based expected config ensures the loader always produces a stable builtin auth shape, even when the YAML doesn’t specify it, which is helpful for future mode switches.

---

417-417: YAML-based UsersDir derivation matches DataDir semantics.

UsersDir: "/var/dagu/data/users" is consistent with the new rule that UsersDir is derived from DataDir, and this expectation keeps the path behavior aligned with the other derived directories.

---

512-512: Edge-case coverage for derived UsersDir is solid.

Extending the derived-paths edge-case test to assert "/custom/data/users" for cfg.Paths.UsersDir nicely guards the new UsersDir derivation when only dataDir is configured.

Reviewing files that changed from the base of the PR and between 2471155 and b2bb2b8.

• internal/common/config/loader.go (6 hunks)
• internal/core/auth/context.go (1 hunks)
• internal/persistence/fileuser/store.go (1 hunks)
• internal/persistence/fileuser/store_test.go (1 hunks)
• internal/service/frontend/auth/builtin.go (1 hunks)
• internal/service/frontend/server.go (4 hunks)
• ui/src/contexts/AuthContext.tsx (1 hunks)
• ui/src/pages/users/index.tsx (1 hunks)

• internal/persistence/fileuser/store_test.go
• ui/src/pages/users/index.tsx
• internal/core/auth/context.go

• GitHub Check: Test on ubuntu-latest
• GitHub Check: Build

ui/src/contexts/AuthContext.tsx (6)

1-3: LGTM!

Imports are clean and minimal, using modern React patterns.

---

12-32: LGTM!

Context type is well-defined with complete auth state and actions. The role hierarchy ordering is correct, and keeping ROLE_HIERARCHY internal while exposing hasRole is a good encapsulation pattern.

---

40-72: LGTM!

The logout callback is properly memoized with empty dependencies. The refreshUser function correctly reads from localStorage directly (rather than stale state) and has appropriate error handling that fails closed by logging out on any error.

---

74-92: LGTM!

Login error handling is robust with the .catch(() => ({})) fallback for non-JSON error responses. State updates follow the correct sequence with localStorage persistence before React state.

---

94-117: LGTM!

The conditional refreshUser call based on authMode correctly handles different authentication strategies. The provider value shape matches the context type.

---

119-153: LGTM!

The useAuth hook properly enforces usage within the provider. Permission hooks correctly differentiate between builtin and external auth modes, with appropriate fallbacks to config.permissions for external modes. The pure hasRole utility enables permission checks outside React components.

internal/service/frontend/server.go (1)

23-25: LGTM!

The new imports for fileuser and authservice are correctly added to support the builtin authentication feature.

internal/service/frontend/auth/builtin.go (5)

1-13: LGTM!

Package declaration, imports, and copyright header are correctly structured.

---

15-50: LGTM!

The middleware implementation correctly:

• Builds an O(1) lookup set for public paths
• Bypasses authentication for public paths
• Extracts and validates Bearer tokens
• Injects authenticated user into request context
• Returns appropriate 401 errors with structured JSON responses

---

73-97: LGTM!

The role-based access control middleware correctly:

• Builds an O(1) role lookup set
• Retrieves the authenticated user from context
• Validates the user has one of the required roles
• Returns appropriate 401/403 errors

---

99-112: LGTM!

The convenience middleware wrappers (RequireAdmin, RequireWrite, RequireExecute) correctly compose RequireRole with appropriate role combinations for common access patterns.

---

114-127: LGTM!

The Bearer token extraction correctly validates the Authorization header format and extracts the token value.

internal/persistence/fileuser/store.go (7)

4-45: File-level structure, constants, and indexing fields are clear and idiomatic

Package docs, constants (extensions/permissions), and the Store layout with byID/byUsername guarded by an RWMutex are straightforward and align with Go conventions; no issues here.

---

76-111: Index rebuild logic and error handling look solid

rebuildIndex correctly clears the maps under a write lock, scans baseDir, filters by the configured extension, and logs-and-skips malformed files instead of failing the whole index, which is a good resilience trade-off. No changes needed.

---

113-126: loadUserFromFile is straightforward and composes well with callers

The helper cleanly wraps file I/O and JSON parsing with %w so callers can use errors.Is on the underlying causes, and returns a properly converted *auth.User. The //nolint:gosec comment is appropriate given the path is internal.

---

171-191: Atomic write pattern and permissions are appropriate

Writing to a *.tmp file with restrictive 0600 permissions and then os.Rename-ing into place, with best-effort cleanup on failure, gives you an atomic and reasonably safe persistence path for single-host use. No changes needed here.

---

219-234: GetByUsername correctly reuses GetByID for consistent semantics

The method validates the input, safely reads byUsername under RLock, and delegates to GetByID so not-found and file-level error handling stay centralized. This is clean and idiomatic.

---

236-259: List behavior is reasonable; order is intentionally unspecified

Listing IDs under RLock, then resolving them via GetByID and skipping ErrUserNotFound users provides a robust view even if concurrent deletions happen. The trade-off of n file reads is acceptable for small-to-moderate user counts and the unspecified ordering is fine unless callers explicitly require sorting.

---

340-345: Count is simple and correctly uses a read lock

Returning int64(len(s.byID)) under RLock is the right level of synchronization for this method; nothing to change here.

Reviewing files that changed from the base of the PR and between b2bb2b8 and ce51fad.

• README.md (2 hunks)
• internal/cmd/context.go (1 hunks)
• internal/common/config/loader.go (7 hunks)
• internal/common/config/loader_test.go (10 hunks)
• internal/core/auth/context.go (1 hunks)
• internal/core/auth/role.go (1 hunks)
• internal/core/auth/user.go (1 hunks)
• internal/integration/queue_shell_test.go (2 hunks)
• internal/persistence/fileuser/store.go (1 hunks)
• internal/service/auth/service.go (1 hunks)
• internal/service/auth/service_test.go (1 hunks)
• internal/service/frontend/api/v1/dags_test.go (0 hunks)
• internal/service/frontend/api/v1/health_test.go (0 hunks)
• internal/service/frontend/api/v2/api.go (8 hunks)
• internal/service/frontend/api/v2/auth.go (1 hunks)
• internal/service/frontend/api/v2/dagruns.go (8 hunks)
• internal/service/frontend/api/v2/dags.go (8 hunks)
• internal/service/frontend/auth/builtin.go (1 hunks)
• internal/service/frontend/server.go (4 hunks)
• internal/service/frontend/templates.go (2 hunks)
• internal/test/server.go (1 hunks)
• ui/src/App.tsx (3 hunks)
• ui/src/components/ChangePasswordModal.tsx (1 hunks)
• ui/src/components/ProtectedRoute.tsx (1 hunks)
• ui/src/components/UserMenu.tsx (1 hunks)
• ui/src/contexts/AuthContext.tsx (1 hunks)
• ui/src/layouts/Layout.tsx (5 hunks)
• ui/src/lib/fetchJson.ts (2 hunks)
• ui/src/pages/login.tsx (1 hunks)
• ui/src/pages/users/ResetPasswordModal.tsx (1 hunks)
• ui/src/pages/users/UserFormModal.tsx (1 hunks)
• ui/src/pages/users/index.tsx (1 hunks)

• internal/service/frontend/api/v1/dags_test.go
• internal/service/frontend/api/v1/health_test.go

• internal/core/auth/user.go
• internal/service/frontend/auth/builtin.go
• ui/src/components/ProtectedRoute.tsx
• internal/service/frontend/api/v2/dagruns.go
• ui/src/layouts/Layout.tsx
• internal/common/config/loader.go
• internal/service/frontend/api/v2/dags.go
• ui/src/pages/login.tsx
• ui/src/pages/users/UserFormModal.tsx

• GitHub Check: Test on ubuntu-latest
• GitHub Check: Build

internal/service/frontend/templates.go (1)

52-64: AuthMode and usersDir exposure in templates is coherent

Plumbing AuthMode into funcsConfig and exposing it via "authMode" plus "pathUsersDir" cleanly aligns templates with the new auth/users configuration; both helpers are simple accessors and safe to use.

Also applies to: 139-144

internal/common/config/loader_test.go (2)

154-166: Good coverage for builtin auth defaults, usersDir, and warnings

The extended expectations for Server.Auth (builtin admin default + 24h TTL), Paths.UsersDir (derived from DataDir), and the explicit OIDC auto-detect warning string give solid regression coverage for the new auth wiring and loader behavior. Nothing to change here.

Also applies to: 188-189, 220-221

---

365-380: AuthMode/AuthBuiltin tests nicely exercise the new matrix of modes

The TestLoad_AuthMode and TestLoad_AuthBuiltin subtests cover YAML and env-driven modes (none, builtin, oidc), builtin admin credentials, token secret/TTL parsing (including default TTL), and permissiveness around empty admin passwords. Together with the warnings tests, this should catch most loader regressions in the auth surface.

Also applies to: 420-421, 835-961

ui/src/contexts/AuthContext.tsx (1)

45-83: AuthProvider state management and token persistence look solid

The provider’s use of localStorage-backed token state, refreshUser on builtin auth, and isAuthenticated: !!user (not just presence of a token) gives a clear and robust client-side model for builtin auth. Error paths correctly fall back to logout() and clear both token and user.

Also applies to: 105-128

internal/cmd/context.go (1)

175-200: Correctly propagate frontend.NewServer errors from Context.NewServer

Returning frontend.NewServer(...) directly matches the updated (*Server, error) constructor and ensures builtin-auth initialization errors surface to CLI callers instead of being dropped.

internal/test/server.go (1)

67-70: Test helper correctly adapts to NewServer’s error return

Capturing (server, err) and asserting require.NoError(t, err) before calling server.Serve is the right adjustment for the new constructor and avoids silently proceeding with a nil server.

internal/integration/queue_shell_test.go (1)

40-53: Integration test’s NewServer usage is updated appropriately

The test now handles frontend.NewServer’s (server, err) return and fails fast on construction errors via require.NoError, which is the right adaptation and keeps the rest of the test logic unchanged.

internal/core/auth/context.go (1)

1-19: LGTM!

The context key pattern using a private type prevents key collisions with other packages. WithUser and UserFromContext follow idiomatic Go context value handling.

ui/src/components/UserMenu.tsx (2)

24-38: LGTM!

The component correctly guards rendering based on auth mode and authentication state. The logout handler properly clears state and navigates to login.

---

55-100: LGTM!

Compact UI design with appropriate element heights (h-7, h-8), dark mode support, and proper keyboard accessibility via the dropdown menu primitives. The modal integration is clean.

ui/src/pages/users/index.tsx (3)

55-79: LGTM!

The fetch implementation properly uses the shared TOKEN_KEY constant, handles errors gracefully, and manages loading state. The useCallback dependency on config.apiURL is correct.

---

81-104: LGTM!

Delete handler correctly checks for deletingUser presence, clears errors on success, and refreshes the user list. Error extraction from API response is handled properly.

---

153-225: LGTM!

Table implementation follows guidelines: inline loading state (not full-page overlay), compact row heights, proper handling of empty state, and self-deletion prevention via disabled={user.id === currentUser?.id}. Dark mode is supported throughout.

ui/src/components/ChangePasswordModal.tsx (2)

52-97: LGTM!

Validation logic is correct (password match, minimum length). Error extraction handles multiple response formats (data.message, data.error?.message). The auto-close after success provides good UX feedback.

---

99-186: LGTM!

Compact modal design with appropriate heights (h-8, h-9), proper accessibility attributes (autoComplete, required), and dark mode support for success/error states.

ui/src/pages/users/ResetPasswordModal.tsx (1)

35-98: LGTM on validation and error handling.

Validation logic (password match, min length, user presence check) and error handling are implemented correctly. The auto-close after success provides consistent UX with other modals.

ui/src/App.tsx (2)

106-156: LGTM!

The routing structure correctly separates public (/login) and protected routes. AuthProvider wrapping ensures auth context is available throughout. The nested ProtectedRoute for /users with requiredRole="admin" provides proper RBAC enforcement—the outer wrapper handles authentication while the inner enforces admin role.

---

139-146: Nested ProtectedRoute is intentional but could be simplified.

The outer ProtectedRoute (line 118) already ensures authentication. The inner ProtectedRoute for /users only needs to check the admin role. The current implementation works correctly, but if ProtectedRoute short-circuits when already authenticated, the double-check is harmless.

internal/core/auth/role.go (1)

8-77: Role/permission helpers are clear and consistent

The Role constants, Valid/CanWrite/CanExecute/IsAdmin, and ParseRole behavior are all coherent and match the documented hierarchy; this will keep authorization checks readable across the codebase.

internal/service/frontend/api/v2/api.go (1)

195-231: Auth middleware split and permission helpers look correct

Wiring builtin JWT auth via BuiltinAuthMiddleware only when AuthModeBuiltin + non-nil authService, with a fallback to the legacy middleware otherwise, looks sound. The requireAdmin/requireWrite/requireExecute helpers correctly short-circuit when auth is disabled and return structured 401/403 errors when enabled, which should integrate cleanly with handleError.

Also applies to: 297-367

internal/service/frontend/server.go (1)

307-313: Disabling v1 API when auth is enabled is clearly signposted

Short-circuiting v1 route setup when Auth.Mode != AuthModeNone and emitting an explicit info log is a good way to make this breaking behavior visible to operators while steering them toward v2.

internal/persistence/fileuser/store.go (1)

20-360: File-backed user store implementation looks robust

The store’s invariants (non-empty ID/username), atomic write pattern, index rebuild, and errors.Is handling for missing files and auth sentinels are all well thought out. The RWMutex usage around the in-memory indices also looks correct for concurrent access.

internal/service/auth/service.go (1)

335-366: Admin bootstrap flow is sensible

EnsureAdminUser’s “no users → create admin (with optional generated password)” semantics, combined with validatePassword and auth.RoleAdmin, look correct and align with the server’s builtin-auth initialization.

Reviewing files that changed from the base of the PR and between ce51fad and b6c5f70.

• internal/service/auth/service.go (1 hunks)
• internal/service/frontend/server.go (4 hunks)
• ui/src/pages/users/ResetPasswordModal.tsx (1 hunks)

• GitHub Check: Test on ubuntu-latest
• GitHub Check: Build

ui/src/pages/users/ResetPasswordModal.tsx (1)

23-173: Overall implementation of ResetPasswordModal looks solid

The component cleanly wires validation, API interaction, error/success feedback, and dialog lifecycle. State reset on close, guarded submit when user is missing, and inline error parsing from the response are all sensible and consistent with the rest of the UI.

internal/service/frontend/server.go (3)

48-89: LGTM! Fail-fast authentication initialization properly implemented.

The updated signature returning (*Server, error) and the fail-fast error propagation at lines 64-66 correctly addresses the concern about servers running without expected authentication when auth is configured but fails to initialize.

---

312-318: LGTM! V1 API deprecation under auth mode is properly communicated.

The startup log message clearly informs operators that V1 API is disabled when authentication is enabled, with guidance to use V2 API instead.

---

103-107: No action needed. UsersDir is properly defined in the PathsConfig struct (internal/common/config/config.go line 202) and initialized during config loading at internal/common/config/loader.go line 279, with a fallback to filepath.Join(cfg.Paths.DataDir, "users") if not explicitly set (lines 442-443). The field is also validated to ensure it's set when builtin auth is enabled.

internal/service/auth/service.go (5)

31-38: LGTM! Security constants are well-chosen.

The bcrypt cost of 12 aligns with OWASP recommendations (10+), and the minimum password length of 8 characters meets baseline security requirements.

---

84-102: LGTM! Secure authentication with timing attack mitigation.

The dummy hash comparison for non-existent users (line 91) prevents timing-based user enumeration, and the consolidated handling of ErrUserNotFound and ErrInvalidUsername (line 88) correctly maps both to ErrInvalidCredentials.

---

148-153: Good security: Algorithm validation prevents JWT confusion attacks.

The explicit check for HMAC signing method (line 149) prevents algorithm substitution attacks where an attacker might try to use "none" or asymmetric algorithms.

---

192-213: LGTM! User creation with proper validation chain.

Password and role validation happen before any persistence, and the bcrypt cost is configurable through the service config.

---

273-280: Good guardrail: Preventing self-deletion.

The ErrCannotDeleteSelf check protects against accidental account lockout by preventing users from deleting their own accounts.