Site Gate — Access to form.huph.val.id

Purpose

form.huph.val.id (validation form portal — including the cluster portal, admin live-kb, and all related pages) is gated by a simple shared password to keep public crawlers and accidental visitors out before GTM. This page explains how to use the gate and how to distribute the password.

How the gate works

Every fresh visit to form.huph.val.id/* (except /login, /api/auth/gate, /api/internal/*) redirects to /login if the gate cookie is missing.
The login form takes a single password. Wrong password → inline "Password salah" error (status 401).
Correct password → cookie huph_form_gate is set HttpOnly, SameSite=Lax, valid 30 days per browser/device.
Once the cookie is set, all public portal pages are reachable without re-prompting.

For the admin team — distributing the password

The password is stored in /opt/huph/.env as SITE_PASSWORD. Distribute it out of band (not via public chat or unencrypted email) to:

5 PIC leads (one per cluster: CASS / CBT / CHS / CIST / CNE)
Operator team members who need to access admin live-kb
Anyone else with a legitimate reason

Acceptable channels: 1Password shared vault, organization password manager, WhatsApp DM to leads (who then relay it to their teams).

Not acceptable: public Slack channels, plain-text email, GitHub issues, screenshots in a public Notion page.

Rotating the password

No UI yet. When you need to rotate (e.g. password leak):

Bash

# Generate a new password, edit /opt/huph/.env, recreate the form container
NEW_PW=$(openssl rand -base64 24 | tr -d '=+/' | cut -c1-22)Aa1!
sed -i "s/^SITE_PASSWORD=.*/SITE_PASSWORD=$NEW_PW/" /opt/huph/.env
docker compose -f /opt/huph/docker-compose.uph-form.yml up -d --force-recreate
echo "New password: $NEW_PW"

Existing cookies stay valid until they expire (30 days) or are cleared manually. To invalidate every active cookie, rotate SITE_GATE_SECRET in .env (the HMAC signing key) and recreate the container — all signed cookies become invalid.

Open https://form.huph.val.id in any browser.
You will be redirected to /login. Enter the password your admin team shared.
After login, you land on the cluster picker (or whatever page you originally requested, e.g. /admin/live-kb).
The cookie persists for 30 days — subsequent visits don't prompt again.

Login is not a PIC session

The site gate only opens proof that you may see the portal — not a PIC session. To access per-cluster review tabs (AI Suggestions, Live KB, etc.) you still need a magic link the admin team emails to your PIC address. The magic link creates a PIC session that determines your cluster.

/admin/live-kb on the admin side adds HTTP Basic Auth (ADMIN_USER / ADMIN_PASS) on top of the gate, for 3 layers total.

Troubleshooting

I logged in with the correct password but home returns 500

Happened on 2026-04-29: the Next.js middleware on Edge runtime can't use Node crypto. Fixed in commit c0252fc. If it recurs: check docker logs huph-uph-form for an "edge runtime" message and ping engineering.

huph_form_gate cookie is set but I still get redirected to /login

Check your browser's system time. The HMAC-signed cookie carries a timestamp with a 30-day TTL — if the browser clock is far from the server's, validation fails.

Browser says "site can't be reached"

DNS or network, not the gate. Try a different device. Contact engineering if it persists.