feat: add JWT authentication for admin API

[awsl233777]

User description

• Add optional password authentication via MAXX_ADMIN_PASSWORD env var
• Implement JWT token generation and validation using golang-jwt/jwt/v5
• Add login page and auth context for frontend
• Token valid for 7 days, stored in localStorage

---

PR Type

enhancement, documentation

---

Description

• Implement JWT authentication for admin API

• Add login page and auth context for frontend

• Create auth middleware and handlers

• Update README with authentication instructions

---

Diagram Walkthrough

flowchart LR
  A["Admin API"] -- "uses" --> B["Auth Middleware"]
  B -- "validates" --> C["JWT Token"]
  A -- "routes" --> D["Auth Handler"]
  D -- "handles" --> E["Login Requests"]

Loading

File Walkthrough

	Relevant files
Enhancement	7 files main.go Add authentication middleware and routes                                  +16/-2    auth.go Implement JWT authentication logic                                              +100/-0  auth_handler.go Create auth handler for login and status                                  +81/-0    App.tsx Integrate AuthProvider and LoginPage                                          +25/-1    auth-context.tsx Manage authentication state and context                                    +85/-0    http-transport.ts Add auth API methods to transport                                                +34/-0    login.tsx Create login page for admin access                                              +71/-0
Documentation	1 files README.md Update documentation for admin authentication                        +5/-0
Additional files	4 files go.mod +1/-0      go.sum +2/-0      interface.ts +8/-0      types.ts +12/-0

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The use of MAXX_ADMIN_PASSWORD in the environment variable could expose sensitive information if not handled properly. Ensure that this variable is not logged or exposed in error messages.

⚡ Recommended focus areas for review Token Security The JWT token generation uses the password directly for signing. Ensure that the password is sufficiently strong and consider using a more secure method for key management. func (m *AuthMiddleware) GenerateToken() (string, error) { claims := jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(time.Now().Add(TokenExpiry)), IssuedAt: jwt.NewNumericDate(time.Now()), Issuer: "maxx-admin", } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) return token.SignedString([]byte(m.password)) Local Storage Security The token is stored in localStorage, which can be vulnerable to XSS attacks. Consider using HttpOnly cookies for better security. const AUTH_TOKEN_KEY = 'maxx-admin-token'; interface AuthContextValue { isAuthenticated: boolean; isLoading: boolean; authEnabled: boolean; login: (token: string) => void;

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Validate token claims for security Ensure that the token validation process includes checking for the presence of claims. This will help prevent potential security issues related to token misuse. Consider adding a check for the Issuer claim to ensure it matches expected values. internal/handler/auth.go [61] -... -return err == nil && token.Valid +return err == nil && token.Valid && token.Claims.(*jwt.RegisteredClaims).Issuer == "maxx-admin" Suggestion importance[1-10]: 8 __ Why: The suggestion addresses a critical security concern by ensuring that the token's Issuer claim is validated, which helps prevent token misuse.	Medium
General	Standardize unauthorized error responses Ensure that the error response for unauthorized access includes a consistent structure. This will help clients handle errors uniformly and improve the API's usability. internal/handler/auth_handler.go [32] -... writeJSON(w, http.StatusUnauthorized, map[string]any{ + "success": false, + "error": "Invalid password", +}) Suggestion importance[1-10]: 6 __ Why: This suggestion improves the consistency of error responses, which can enhance API usability, but it does not address a critical issue.	Low
	Enhance unauthorized error messages Improve the error response by including a more descriptive message. This can help clients understand the reason for the unauthorized access, which is crucial for debugging and user experience. internal/handler/auth.go [98] -... -json.NewEncoder(w).Encode(map[string]string{"error": "unauthorized"}) +json.NewEncoder(w).Encode(map[string]string{"error": "Unauthorized access: valid token required"}) Suggestion importance[1-10]: 5 __ Why: While improving error messages can enhance user experience, this change is not critical and primarily focuses on user feedback rather than security or functionality.	Low