Access Control for docs.cnclab.io

This site is protected with Google sign-in on the main site and a signed, HttpOnly cookie checked by an Edge Middleware on the docs site.

Quick admin tasks¶

• Add/remove a specific email quickly:

  • Edit api/auth/whitelist.js on the main repo

    • Add to ALWAYS_ALLOWED_EMAILS to grant access immediately

    • Add to NON_CNC_MEMBERS (by name) to block regardless of roster

  • Commit and push → deploy triggers instantly

• Update from the roster (canonical):

  • Edit the lab roster Google Sheet used by getFormattedTeamMembers()

  • Wait up to 1 hour for cache to refresh, or redeploy the main site to clear cache

Environment variables¶

Set in BOTH projects (same values):

• DOCS_SESSION_SECRET: random URL-safe string (≥32 bytes) used to sign the cookie

• Main site only: GOOGLE_CLIENT_ID

Generate a secret:

node -e "console.log(require('crypto').randomBytes(32).toString('base64').replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/g,''))"

How it works¶

• User visiting docs.cnclab.io without a cookie → redirected to cnclab.io/api/docs-login?next=...

• Main site verifies Google credential and checks whitelist → sets cnclab_docs_session cookie with Domain=.cnclab.io (HttpOnly, 24h)

• Docs Edge Middleware verifies signature and expiry → serves docs if valid

Troubleshooting¶

• Getting redirected repeatedly:

  • Ensure DOCS_SESSION_SECRET is set identically in both projects

  • Confirm cookie cnclab_docs_session exists for .cnclab.io (HttpOnly)

• “Invalid credential” on login:

  • Check GOOGLE_CLIENT_ID matches your OAuth client

  • Verify your email appears in GET /api/auth/whitelist

• Need to revoke access quickly:

  • Add the person’s name to NON_CNC_MEMBERS and deploy