CPM can now act as its own forward auth provider for proxied sites.
Users authenticate at a login portal (credentials or OAuth) and Caddy
gates access via a verify subrequest, eliminating the need for external
IdPs like Authentik.
Key components:
- Forward auth flow: verify endpoint, exchange code callback, login portal
- User groups with membership management
- Per-proxy-host access control (users and/or groups)
- Caddy config generation for forward_auth handler + callback route
- OAuth and credential login on the portal page
- Admin UI: groups page, inline user/group assignment in proxy host form
- REST API: /api/v1/groups, /api/v1/forward-auth-sessions, per-host access
- Integration tests for groups and forward auth schema
Also fixes mTLS E2E test selectors broken by the RBAC refactor.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace 3 separate icon buttons (Copy/Edit/Delete) with DropdownMenu "..."
in ProxyHostsClient and L4ProxyHostsClient — matches shadcn tasks pattern
- Add Status badge column to proxy host tables (Active/Paused) instead of
relying solely on inline Switch for status visibility
- Mobile cards updated to use DropdownMenu + cleaner layout with Badge
- Use PageHeader component consistently across all pages:
CertificatesClient, AuditLogClient, AccessListsClient now use PageHeader
instead of inline h1/p elements
- Wrap search fields in flex toolbar div above tables
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces all MUI components in 8 dashboard page files with shadcn/ui
and Tailwind. Adds global TooltipProvider to app/providers.tsx.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New `ca_certificates` table for reusable CA certs (migration 0011)
- CA cert CRUD model, server actions, and UI dialogs
- Proxy host create/edit dialogs include mTLS toggle + CA cert selection
- Caddy config generates `client_authentication` TLS policy blocks with
`require_and_verify` mode for hosts with mTLS enabled
- CA certs sync to slave instances via instance-sync payload
- Certificates page shows CA Certificates section
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When editing a proxy host with certificate_id set to null (auto), the
dropdown would not show "Managed by Caddy (Auto)" as selected and it
would revert to another certificate. There were two issues:
1. Form submission: Empty string from dropdown was treated as falsy,
returning undefined instead of null (means "don't change")
2. Database update: The ?? operator treated null as falsy and fell back
to existing value instead of saving null
Changes:
- app/(dashboard)/proxy-hosts/actions.ts: Check formData.has() and
explicitly convert empty string to null for auto mode
- src/lib/models/proxy-hosts.ts: Use !== undefined instead of ?? to
allow null values to be saved
- app/(dashboard)/proxy-hosts/ProxyHostsClient.tsx: Add Certificate
column to table showing "Managed by Caddy (Auto)" for auto certs
Applied same fixes to access_list_id for consistency.
Now when users select "Managed by Caddy (Auto)", it correctly sets
certificate_id to null, displays properly on subsequent edits, and
shows in the table view.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add router.refresh() to proxy-hosts and redirects dialogs
- Auto-close dialogs 1 second after successful form submission
- Fixes stale data not refreshing after create/edit/delete operations
- Fixes localhost redirect issues (requires BASE_URL env var to be set)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
