PIN Gate Authentication¶
cbauth - Domain-wide PIN-based authentication service for *.nominate.ai subdomains.
Overview¶
PIN Gate provides simple PIN-based access control integrated with NGINX via auth_request. Once authenticated, users have access to all protected subdomains through a shared domain cookie.
Architecture¶
Client Request → NGINX → auth_request → PIN Gate (/auth/verify)
↓
200 (valid cookie) → proxy to backend
401 (no cookie) → redirect to /auth/pin
Key Features¶
- Domain-wide authentication - Single PIN grants access to all
*.nominate.aisubdomains - NGINX integration - Uses
auth_requestmodule for transparent protection - Secure cookies - HttpOnly, Secure, SameSite=Lax with HMAC-SHA256 signing
- Configurable TTL - Default 7-day session lifetime
Endpoints¶
| Endpoint | Method | Description |
|---|---|---|
/auth/verify |
GET | Verify session token (called by NGINX) |
/auth/pin |
GET | PIN entry form |
/auth/login |
POST | Submit PIN for authentication |
/health |
GET | Health check |
Configuration¶
| Variable | Default | Description |
|---|---|---|
PIN_GATE_PIN |
123456 |
Plain PIN (hashed on startup) |
PIN_GATE_DOMAIN |
.nominate.ai |
Cookie domain |
PIN_GATE_TTL |
604800 |
Session TTL in seconds (7 days) |
Service¶
- Port: 32202
- Domain: auth.nominate.ai
- Systemd:
cbauth.service
Documentation¶
- Full Setup Guide - Complete implementation details
- CLAUDE.md - AI coding guide