Skip to content

Authentication for HTTP transport (token-based & mTLS) #58

Description

@Alphanymous

Summary

The HTTP transport currently warns users to add their own auth via a reverse proxy. Bundle opt-in authentication options (token-based and mTLS) to make remote/tunnelled use safer out of the box.

Proposed Changes

Token-based auth (simpler)

# elesync.yml
http:
  auth:
    mode: token
    token_env: ELESYNC_TOKEN   # reads from env var
# Generate a token
ele auth generate-token

# Validate current token setup
ele auth status

Client usage:

Authorization: Bearer <token>

mTLS (advanced)

http:
  auth:
    mode: mtls
    ca_cert: ~/.elesync/ca.crt
    server_cert: ~/.elesync/server.crt
    server_key: ~/.elesync/server.key
# Generate self-signed CA + server cert
ele auth setup-mtls

Behaviour

  • Both modes are opt-in — default remains unauthenticated (localhost-only safe)
  • Clear startup warning if HTTP transport is bound to non-loopback without auth enabled
  • Auth errors return 401 Unauthorized with a helpful message

Acceptance Criteria

  • Token auth mode works end-to-end
  • mTLS mode works end-to-end
  • Warning printed on startup when non-loopback + no auth
  • ele auth generate-token and ele auth setup-mtls helpers exist
  • Docs updated with remote usage guide

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions