Remove authentication specification and add configuration for file-based authentication

[Thushani-Jayasekera]

• Deleted the authentication specification document as it is no longer needed.
• Introduced a new configuration file for the Platform API, enabling file-based authentication with user management capabilities.
• Updated README for local development instructions, providing two options for running the AI Workspace and Platform API.
• Adjusted environment variable settings in the AI Workspace to route API calls through a proxy, enhancing security with self-signed certificates.

[coderabbitai]

📝 Walkthrough

Changes

This PR removes the authentication specification document and introduces a new file-based authentication configuration for the Platform API, along with updates to the AI Workspace local development setup.

Files Changed

Removed:

• platform-api/spec/authentication.md - Deleted authentication specification document (405 lines removed)

Added/Modified:

• platform-api/src/config/config.toml - New configuration file enabling file-based authentication mode with server settings, database scaffolding, JWT issuance, and initial admin user setup (82 lines added)
• portals/ai-workspace/README.md - Expanded "Local development" section with two alternative startup workflows: Option 1 for Docker Compose-based setup and Option 2 for running the AI Workspace frontend and Platform API separately via npm and go commands (26 lines added)
• portals/ai-workspace/src/config.env.ts - Updated default environment variables to route API calls through a proxy path (/api-proxy/api/v1 and /api-proxy/api/portal/v1) instead of absolute localhost URLs, and changed default authentication mode from OIDC to basic authentication (7 lines added, 5 lines removed)

Impact

The changes enable developers to run the AI Workspace and Platform API using either a containerized Docker approach or a local development approach with proxy-based API routing. The new file-based authentication configuration provides a quickstart option without requiring external identity providers.

Walkthrough

This PR sets up a local development quickstart for file-based authentication. A new config.toml is added to the Platform API with server, database, JWT, file-based auth (including an admin user with bcrypt credentials), and disabled DevPortal settings. The AI Workspace frontend's default API base URLs are changed from absolute localhost addresses to proxy-relative paths (/api-proxy/...), and the default AUTH_MODE is switched from oidc to basic. The AI Workspace README gains two documented local development startup options: one Docker-based and one using direct npm run dev and go run commands. The platform-api/spec/authentication.md specification file is removed entirely.

Suggested Reviewers

• pubudu538
• malinthaprasan
• tharindu1st
• chamilaadhi
• dushaniw
• renuka-fernando

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description outlines the key changes but does not follow the repository's template structure, lacking sections like Purpose, Goals, Approach, Automation tests, and Security checks.	Restructure the description to match the template by adding Purpose (why these changes), Goals (what problems they solve), Approach (implementation details), Automation tests, and Security checks sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: removing an authentication specification and adding file-based authentication configuration, which are the primary modifications across the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

portals/ai-workspace/src/config.env.ts (1)

160-163: ⚡ Quick win

Consider adding a comment to document the proxy routing change.

The PORTAL_API_BASE_URL change mirrors the PLATFORM_API_BASE_URL pattern (relative path via /api-proxy/ proxy), but lacks the explanatory comment present at line 144. Adding a brief comment would improve consistency and help future maintainers understand the routing strategy.

export const PORTAL_API_BASE_URL = getEnvOrDefault(
  'VITE_PORTAL_API_BASE_URL',
+  // Portal API routed via /api-proxy proxy (avoids self-signed TLS cert warnings)
  '/api-proxy/api/portal/v1'
);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/ai-workspace/src/config.env.ts` around lines 160 - 163, Add a comment
above the PORTAL_API_BASE_URL constant to document the proxy routing strategy.
Mirror the explanatory comment pattern used for PLATFORM_API_BASE_URL by
describing that this configuration uses a relative path with the /api-proxy/
proxy for routing API requests. This improves code clarity and consistency for
future maintainers understanding the routing approach.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@platform-api/src/config/config.toml`:
- Around line 29-39: The database configuration in the [database] section of
config.toml is entirely commented out, which causes the Driver field to be empty
and triggers an error in the NewConnection function in connection.go:104 when it
encounters an unsupported (empty) database driver. Uncomment either the SQLite
configuration (driver = "sqlite3" and path = "/app/data/api_platform.db") or the
PostgreSQL configuration (host, port, name, user, password, ssl_mode) in the
[database] section so that the Platform API can initialize with a valid database
driver.
- Around line 67-70: The admin user's password_hash in the
[[auth.file_based.users]] section uses the $2y$ prefix (htpasswd format), but
the authentication handler's test cases expect the Go-native $2a$ format.
Regenerate the password hash using a Go-native bcrypt tool to produce a hash
with the $2a$ prefix instead of $2y$, ensuring consistency across the codebase.

---

Nitpick comments:
In `@portals/ai-workspace/src/config.env.ts`:
- Around line 160-163: Add a comment above the PORTAL_API_BASE_URL constant to
document the proxy routing strategy. Mirror the explanatory comment pattern used
for PLATFORM_API_BASE_URL by describing that this configuration uses a relative
path with the /api-proxy/ proxy for routing API requests. This improves code
clarity and consistency for future maintainers understanding the routing
approach.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5d17d53c-789c-4542-81b5-fb588164f0b5

📥 Commits

Reviewing files that changed from the base of the PR and between aff353d and e2081cd.

📒 Files selected for processing (4)

• platform-api/spec/authentication.md
• platform-api/src/config/config.toml
• portals/ai-workspace/README.md
• portals/ai-workspace/src/config.env.ts

💤 Files with no reviewable changes (1)

• platform-api/spec/authentication.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check Go crypto/bcrypt documentation and auth handler code.
# Expected: Confirmation that CompareHashAndPassword works with $2y$ format.

grep -n "bcrypt.CompareHashAndPassword" platform-api/src/internal/handler/auth_login.go
go doc golang.org/x/crypto/bcrypt | grep -i "2y\|2a\|2b" || echo "Check Go bcrypt source for format support"

Repository: wso2/api-platform

Length of output: 343

---

Regenerate bcrypt hash with Go-native format.

The admin password hash uses $2y$ prefix (standard for htpasswd), but the authentication handler's test cases use $2a$ format. For consistency with the codebase's explicit use of $2a$ format, regenerate this hash with a Go-native bcrypt tool rather than htpasswd.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@platform-api/src/config/config.toml` around lines 67 - 70, The admin user's
password_hash in the [[auth.file_based.users]] section uses the $2y$ prefix
(htpasswd format), but the authentication handler's test cases expect the
Go-native $2a$ format. Regenerate the password hash using a Go-native bcrypt
tool to produce a hash with the $2a$ prefix instead of $2y$, ensuring
consistency across the codebase.