commit · domus · 0ea3f987

Remove auth middleware; document Tailscale-only access

The app never wired in the X-Forwarded-User auth middleware, and access
is handled at the network layer via Tailscale. Drop the unused middleware
and its test, and update the README to reflect that there's no in-app
authentication.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01B1uzShtcShruxTxhZPiof2

change

commit 0ea3f9872c2016c571e09595970d5a6d27f880b3

author Claude <noreply@anthropic.com>

date 1w ago

parent c8fbfaeb

diff --git a/README.md b/README.md
index dfc5ca1..f0361a7 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Domus is where I keep household records. Today that's an inventory of the stuff
 
 Inventory replaces [homebox](https://homebox.software/). Documents replace [paperless-ngx](https://docs.paperless-ngx.com/). Both do more than I need, and I want to keep only the parts I'll actually use.
 
-Scope is one household. No multi-tenancy, no public sharing, no login screen — authentication happens at the network layer via a reverse proxy header, same pattern as [ketchup](https://github.com/kejadlen/ketchup).
+Scope is one household. No multi-tenancy, no public sharing, no login screen — and no authentication in the app at all. The only way in is over my [Tailscale](https://tailscale.com/) network, so access control lives entirely at the network layer.
 
 ## Domain model
 
diff --git a/lib/middleware/auth.rb b/lib/middleware/auth.rb
deleted file mode 100644
index c6a2e16..0000000
--- a/lib/middleware/auth.rb
+++ /dev/null
@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-module Domus
-  module Middleware
-    class Auth
-      def initialize(app, header: "X-Forwarded-User")
-        @app = app
-        @header = header
-      end
-
-      def call(env)
-        user = env["HTTP_#{header_name}"]
-        return [401, {}, ["Unauthorized"]] unless user
-
-        env["domus.user"] = user
-        @app.call(env)
-      end
-
-      private
-
-      def header_name
-        @header.upcase.tr("-", "_")
-      end
-    end
-  end
-end
diff --git a/test/test_auth.rb b/test/test_auth.rb
deleted file mode 100644
index 7be1bad..0000000
--- a/test/test_auth.rb
+++ /dev/null
@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "test_helper"
-require "rack/test"
-require_relative "../lib/middleware/auth"
-
-class TestAuth < Minitest::Test
-  include Rack::Test::Methods
-
-  def app
-    inner = proc { |env| [200, {}, ["hello #{env['domus.user']}"]] }
-    Domus::Middleware::Auth.new(inner)
-  end
-
-  def test_allows_request_with_header
-    get "/", {}, { "HTTP_X_FORWARDED_USER" => "alice" }
-    assert_equal 200, last_response.status
-    assert_equal "hello alice", last_response.body
-  end
-
-  def test_rejects_request_without_header
-    get "/"
-    assert_equal 401, last_response.status
-    assert_equal "Unauthorized", last_response.body
-  end
-end