Move forward auth under /admin/api/forward

API.md

@@ -8,7 +8,7 @@ This document describes all API endpoints available in the PassKey Auth FastAPI
 
 ### HTTP Endpoints
 GET /auth/ - Main authentication app
-GET /auth/forward-auth - Authentication validation for Caddy/Nginx
+GET /auth/api/forward - Authentication validation for Caddy/Nginx (was /auth/forward-auth)
 POST /auth/validate - Token validation endpoint
 POST /auth/user-info - Get authenticated user information
 POST /auth/logout - Logout current user

Caddyfile

@@ -1,7 +1,7 @@
 (auth) {
 	# Permission check (named arg: perm=...)
 	forward_auth localhost:4401 {
-		uri /auth/forward-auth?{args.0}
+		uri /auth/api/forward?{args.0}
 		copy_headers x-auth-*
 	}
 }

passkey/fastapi/api.py

@@ -47,6 +47,23 @@ async def validate_token(perm=Query(None), auth=Cookie(None)):
     return {"valid": True, "user_uuid": str(s.user_uuid)}
 
 
+@app.get("/forward")
+async def forward_authentication(perm=Query(None), auth=Cookie(None)):
+    """Forward auth validation for Caddy/Nginx (moved from /auth/forward-auth).
+
+    Query Params:
+    - perm: repeated permission IDs the authenticated user must possess (ALL required).
+
+    Success: 204 No Content with x-auth-user-uuid header.
+    Failure (unauthenticated / unauthorized): 4xx JSON body with detail.
+    """
+    try:
+        s = await authz.verify(auth, perm)
+        return Response(status_code=204, headers={"x-auth-user-uuid": str(s.user_uuid)})
+    except HTTPException as e:  # pass through explicitly
+        raise e
+
+
 @app.get("/settings")
 async def get_settings():
     pk = global_passkey.instance

passkey/fastapi/mainapp.py

@@ -3,13 +3,13 @@ import os
 from contextlib import asynccontextmanager
 from pathlib import Path
 
-from fastapi import Cookie, FastAPI, HTTPException, Query, Request, Response
+from fastapi import FastAPI, HTTPException, Request
 from fastapi.responses import FileResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
 
 from passkey.util import passphrase
 
-from . import admin, api, authz, ws
+from . import admin, api, ws
 
 STATIC_DIR = Path(__file__).parent.parent / "frontend-build"
 
@@ -75,22 +75,4 @@ async def reset_authentication(request: Request, reset: str):
     return RedirectResponse(request.url_for("frontend", reset=reset), status_code=303)
 
 
-@app.get("/auth/forward-auth")
+## forward-auth endpoint moved to /auth/api/forward in api.py
-async def forward_authentication(request: Request, perm=Query(None), auth=Cookie(None)):
-    """A validation endpoint to use with Caddy forward_auth or Nginx auth_request.
-
-    Query Params:
-    - perm: repeated permission IDs the authenticated user must possess (ALL required).
-
-    Success: 204 No Content with x-auth-user-uuid header.
-    Failure (unauthenticated / unauthorized): 4xx with index.html body so the
-    client (reverse proxy or browser) can initiate auth flow.
-    """
-    try:
-        s = await authz.verify(auth, perm)
-        return Response(
-            status_code=204,
-            headers={"x-auth-user-uuid": str(s.user_uuid)},
-        )
-    except HTTPException as e:
-        return FileResponse(STATIC_DIR / "index.html", e.status_code)