Next Steps & Priority List¶

Open items and future improvements for PIN Gate authentication.

Priority 1: Immediate (This Sprint)¶

Testing & Validation¶

Test all 19 protected sites with real browser sessions
Verify cookie persistence across subdomain navigation
Test mobile browsers (iOS Safari, Android Chrome)
Validate error handling (wrong PIN, expired sessions)

Production Hardening¶

Set production PIN hash - Currently using plain PIN in .env

# Generate hash
echo -n "YOUR_SECURE_PIN" | sha256sum | cut -d' ' -f1
# Update .env
PIN_GATE_PIN_HASH=<hash>
# Remove plain PIN
# PIN_GATE_PIN=...

Generate persistent secret key - Auto-generated key changes on restart

python3 -c "import secrets; print(secrets.token_hex(32))"
# Add to .env: PIN_GATE_SECRET=<key>

Priority 2: Security Enhancements¶

Rate Limiting¶

Add NGINX rate limiting on /auth/login to prevent brute force

# In http block
limit_req_zone $binary_remote_addr zone=pin_limit:10m rate=5r/m;

# In server block
location = /auth/login {
    limit_req zone=pin_limit burst=3 nodelay;
    proxy_pass http://pin_gate_auth;
}

Audit Logging¶

Log authentication attempts (success/failure) with timestamps and IPs
Consider structured logging (JSON) for log aggregation
Add log rotation for auth logs

Session Management¶

Add /auth/sessions endpoint to view active sessions (admin only)
Implement session revocation capability
Consider session binding to IP (currently disabled for mobile)

Priority 3: API Improvements¶

JSON Error Responses for APIs¶

Update API site configs to return JSON 401 instead of redirect

location /api/ {
    auth_request /internal/auth/verify;
    error_page 401 = @api_unauthorized;
    proxy_pass http://backend;
}

location @api_unauthorized {
    default_type application/json;
    return 401 '{"error": "authentication_required", "auth_url": "/auth/pin"}';
}

Apply to: ky04api, mi20api, testsiteapi, models.nominate.ai

Health & Monitoring¶

Add Prometheus metrics endpoint (/metrics)
Track: auth attempts, success rate, active sessions, response times
Add to monitoring dashboard

Priority 4: Future Evolution¶

Multi-User Support¶

Replace single PIN with user database
Add user registration/management
Per-user session tracking

Enhanced Authentication¶

OAuth2/OIDC provider support
TOTP 2FA option
WebAuthn/passkey support
SSO integration

Admin Interface¶

Web UI for PIN management
Session viewer/revocation
Audit log viewer
Protected site management

Completed This Session¶

Initial implementation and deployment (v1.0)
Systemd service setup on port 32202 (v1.0)
Protected 19 sites across *.nominate.ai (v1.3)
Localhost exemption for internal services (v1.4)
Comprehensive API documentation (v1.5)
Fixed post-auth redirect to original URL (v1.6, v1.7)

Known Issues¶

Issue	Status	Notes
CDN/Files might need special handling	To Test	Large file downloads with auth
WebSocket connections	To Test	May need separate auth handling
API rate limits not configured	Open	Brute force protection needed

Quick Reference¶

Current Version: v1.7

Service Management:

sudo systemctl status cbauth
sudo systemctl restart cbauth
sudo journalctl -u cbauth -f

NGINX:

sudo nginx -t && sudo systemctl reload nginx

Change PIN:

# Edit /home/bisenbek/projects/nominate/cbauth/.env
sudo systemctl restart cbauth