Demo Access Control
Demo authentication shell. This is a mock-only,
non-production access-control flow. No real email is sent
from this page. Magic-link tokens are signed locally with the configured
cookie secret; sessions are stored as a single signed cookie. There is no
user database, no SMTP relay, no external identity provider.
What this access control does
- Optional IP allowlist (env
SAIP_DEMO_ALLOWED_IPS) — denied IPs cannot reach any route, including /login.
- Optional magic-link sign-in with a 15-minute default TTL (env
SAIP_DEMO_TOKEN_TTL_MINUTES).
- Signed session cookie (HMAC-SHA256) with a 60-minute default TTL (env
SAIP_DEMO_SESSION_TTL_MINUTES).
- Fail-closed startup: if auth is enabled and the cookie secret is missing, placeholder, or too short, the app refuses to start.
What this access control does NOT do
- Send real email. There is no SMTP relay; no SMTP credentials are stored anywhere in the repo or container.
- Persist user accounts, tokens, or session metadata to a database.
- Federate with an external identity provider (SSO, OAuth, OIDC).
- Replace a real Tier 4 production auth system. This is a demo shell.