coilyco-flight-deck/eco-replay
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

Wire up Eco web auth so the FastAPI app doesn't have to read SQLite directly #5

New issue
Open
opened 2026-05-23 20:54:16 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:16 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-18T06:45:40Z - https://github.com/coilysiren/eco-replay/issues/3

Problem

The mod registers GET /api/v1/events and GET /api/v1/events/stats ASP.NET controllers, but Eco's web server on :3001 returns 401 for every probe (X-API-Key, Authorization: Bearer, raw token, etc.) using /eco/server-api-token. That token is a StrangeCloud user JWT, not an admin web token.

The Python web app sidesteps this by reading the SQLite file directly via ECO_REPLAY_DB.

Next steps

  • Figure out what auth eco-jobs-tracker actually uses in prod (it has the same problem — its UPSTREAM_URL hits the same web port).
  • If it's a session cookie from /login, document the credential path.
  • If it's a header that eco-spec-tracker sets via secret env var, document the SSM key.
  • Direct SQLite read is fine for kai-server-local deploys but won't work when the web app is on a different host.
_Originally filed by @coilysiren on 2026-05-18T06:45:40Z - [https://github.com/coilysiren/eco-replay/issues/3](https://github.com/coilysiren/eco-replay/issues/3)_ **Problem** The mod registers `GET /api/v1/events` and `GET /api/v1/events/stats` ASP.NET controllers, but Eco's web server on :3001 returns 401 for every probe (`X-API-Key`, `Authorization: Bearer`, raw token, etc.) using `/eco/server-api-token`. That token is a StrangeCloud user JWT, not an admin web token. The Python web app sidesteps this by reading the SQLite file directly via `ECO_REPLAY_DB`. **Next steps** - Figure out what auth eco-jobs-tracker actually uses in prod (it has the same problem — its UPSTREAM_URL hits the same web port). - If it's a session cookie from `/login`, document the credential path. - If it's a header that eco-spec-tracker sets via secret env var, document the SSM key. - Direct SQLite read is fine for kai-server-local deploys but won't work when the web app is on a different host.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/eco-replay#5
No description provided.