yingjieli-admin-auth v1.0.0

subsystem yingjieli.site

capsule://quake0day/[email protected]

Single source of truth for "is this request the site admin?". Implements
a password login that yields an HMAC-signed session cookie (7-day TTL),
plus per-IP brute-force rate limiting via Cloudflare KV.

Owns

POST /api/auth (login), DELETE /api/auth (logout), GET /api/auth (status)
the yl_admin HttpOnly cookie format and TTL
HMAC session token construction and verification
per-IP rate limit (5 attempts / 5 min) backed by KV
the isAuthed(request, env) helper that every other capsule must use

Does not own

the admin's *identity* beyond "knows the shared password" (single-user system)
what an authed admin is allowed to do (other capsules enforce their own write gates)
user-facing login UI (lives in yingjieli-admin-ui)

AI orientation

Single source of truth for admin auth. Other capsules MUST import
isAuthed() from _lib/auth.js — they must never decode the cookie
themselves and must never re-implement HMAC verification.

Avoid

Decoding the yl_admin cookie outside this capsule.
Storing the password or hash anywhere in code or KV (env var only).
Removing the Secure / HttpOnly / SameSite=Strict cookie flags.

Provides

http_api:auth-login — POST /api/auth — exchange password for session cookie.
http_api:auth-logout — DELETE /api/auth — clear session cookie.
http_api:auth-status — GET /api/auth → { authenticated: bool }.
library:auth-helpers — isAuthed, createSession, verifySession, setSessionCookie, clearSessionCookie, json, unauthorized, checkPasswordRateLimit.

Requires

env:ADMIN_PASSWORD — Shared admin password. REQUIRED; POST /api/auth 500s without it.
env:SESSION_SECRET — HMAC signing key for session tokens. Falls back to ADMIN_PASSWORD if unset.
env:YL_DATA — KV namespace; used for per-IP rate-limit counters.

Dependencies

Runtime

node >=18
cloudflare-pages *

Invariants (must always hold)

A revoked / expired session must never authenticate a subsequent request.
ADMIN_PASSWORD must never appear in any response body or log line.
Cookie is always Secure + HttpOnly + SameSite=Strict.

Source files (2)

Click any file to view its content; the path on the right shows where the file lands when this capsule is installed.

src/api/auth.js → functions/api/auth.js
src/_lib/auth.js → functions/_lib/auth.js

Plus capsule.yaml and install.json.

Upstream source

https://github.com/quake0day/yingjieli-capsules.git/blob/main/admin-auth/capsule.yaml

Pull this capsule locally:

capsule pull capsule://quake0day/[email protected]

Or render to your terminal:

capsule man capsule://quake0day/[email protected]