feat: add admin session auth for dashboard

Protect dashboard data and admin browser actions behind collector-managed
sessions, and align the new login flow with the existing dashboard design system.

Author: leolionart

.env.example

@@ -21,6 +21,21 @@ LOG_DEBUG_EVENTS_MAX_PER_SYNC=200
 # Timezone offset from UTC (default: 7 for Vietnam)
 TIMEZONE_OFFSET_HOURS=7
 
+# Admin dashboard auth (single shared admin password)
+ADMIN_PASSWORD=change-me
+ADMIN_SESSION_TTL_DAYS=30
+ADMIN_SESSION_COOKIE_NAME=cliproxy_admin_session
+ADMIN_SESSION_SECURE_COOKIE=false
+ADMIN_SESSION_SAMESITE=Lax
+# Optional comma-separated allowlist. Leave empty to allow same-origin host automatically.
+ADMIN_ALLOWED_ORIGINS=
+
 # Frontend polling interval (seconds)
 VITE_AUTO_REFRESH_SECONDS=60
 VITE_APP_LOGS_PAGE_SIZE=500
+
+# Optional: Lark MCP local setup (for Claude Code .mcp.json)
+LARK_APP_ID=cli_xxx
+LARK_APP_SECRET=your-lark-app-secret
+LARK_DOMAIN=https://open.larksuite.com
+LARK_TOOLSETS=preset.base,preset.task,task.v2.task.get,task.v2.task.list,task.v2.tasklist.list,task.v2.tasklist.tasks

README.md

@@ -71,12 +71,21 @@ Edit `.env`:
 DB_PASSWORD=your_secure_password_here
 CLIPROXY_URL=http://host.docker.internal:8317
 CLIPROXY_MANAGEMENT_KEY=<your-management-secret>
+ADMIN_PASSWORD=change-me
 
 # Optional
 COLLECTOR_INTERVAL_SECONDS=300
 TIMEZONE_OFFSET_HOURS=7
+ADMIN_SESSION_TTL_DAYS=30
+ADMIN_SESSION_SECURE_COOKIE=false
+ADMIN_SESSION_SAMESITE=Lax
 ```
 
+Notes:
+- Dashboard now requires admin login before loading UI or `/rest/v1/*` data.
+- The browser stores only an `HttpOnly` session cookie; the password is never stored in browser storage.
+- If you deploy behind HTTPS, set `ADMIN_SESSION_SECURE_COOKIE=true`.
+
 ### 5) Start services
 ```bash
 docker compose up -d
@@ -158,6 +167,47 @@ export CLIPROXY_COLLECTOR_URL="https://your-domain/api/collector/skill-events"
 
 ---
 
+<details>
+<summary><h2>Optional: Lark Suite MCP + local skill</h2></summary>
+
+This repo now includes templates to enable Lark task data access from Claude Code.
+
+### 1) Prepare local MCP config (do not commit secrets)
+
+```bash
+cp .mcp.json.example .mcp.json
+```
+
+`.mcp.json` is ignored by git in this repo, so keep real credentials there.
+
+### 2) Set local environment variables
+
+Use your shell profile (or export in current terminal):
+
+```bash
+export LARK_APP_ID="cli_xxx"
+export LARK_APP_SECRET="your-lark-app-secret"
+export LARK_DOMAIN="https://open.larksuite.com"
+export LARK_TOOLSETS="preset.base,preset.task,task.v2.task.get,task.v2.task.list,task.v2.tasklist.list,task.v2.tasklist.tasks"
+```
+
+### 3) Reload Claude Code session
+
+After saving `.mcp.json` and env vars, restart Claude Code (or reload) so `lark-mcp` can start.
+
+### 4) Use repo-local skill
+
+Skill file: `.claude/skills/lark-suite/SKILL.md`
+
+Ask naturally, for example:
+- "Lấy danh sách task đang open trong Lark"
+- "Lấy chi tiết task theo ID ..."
+- "Tóm tắt task theo trạng thái"
+
+</details>
+
+---
+
 <details>
 <summary><h2>Common operations</h2></summary>
 
@@ -194,6 +244,10 @@ npm install
 npm run dev
 ```
 
+Open Vite dev UI at `http://localhost:5173`.
+
+> Keep the local collector running too. Vite dev proxy now checks the same auth session flow as production, so `/rest/v1/*` stays locked until you log in.
+
 ### Collector (local)
 
 ```bash
@@ -221,7 +275,13 @@ python main.py
 
 - Wait until first collection interval
 - Check collector logs: `docker compose logs -f collector`
-- Trigger manually: `curl -X POST http://localhost:8417/api/collector/trigger`
+- Trigger manually after logging in: `curl -X POST http://localhost:8417/api/collector/trigger`
+
+### Login does not work
+
+- Ensure `.env` contains `ADMIN_PASSWORD` and that it matches what you enter on the login screen
+- For HTTPS deployments, set `ADMIN_SESSION_SECURE_COOKIE=true`; for local HTTP keep it `false`
+- If you use a custom origin or reverse proxy, set `ADMIN_ALLOWED_ORIGINS` to the public dashboard origin
 
 ### PostgREST errors about missing schema