security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Remove SSH private keys from git, add SECRET_KEY validation, move WS auth from query string to first message, add session limits/idle timeout, PBKDF2 Fernet key, refresh token rotation, TOTP replay protection, file upload size limit + filename sanitization, symlink safety check, restrict CORS methods, IP-gate OpenClaw token, run container as non-root, rate-limit refresh/passkey endpoints, sanitize Gitea path params. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -66,7 +66,7 @@
|
||||
const proto = location.protocol === "https:" ? "wss:" : "ws:";
|
||||
const token = localStorage.getItem("token") || "";
|
||||
const ws = new WebSocket(
|
||||
`${proto}//${location.host}/ws/terminal?token=${encodeURIComponent(token)}&host=${tab.hostId}`
|
||||
`${proto}//${location.host}/ws/terminal?host=${tab.hostId}`
|
||||
);
|
||||
ws.binaryType = "arraybuffer";
|
||||
function sendSize() {
|
||||
@@ -79,7 +79,7 @@
|
||||
}
|
||||
}
|
||||
|
||||
ws.onopen = () => { updateTab(tabId, { connected: true }); sendSize(); };
|
||||
ws.onopen = () => { ws.send(token); updateTab(tabId, { connected: true }); sendSize(); };
|
||||
ws.onmessage = (e) => term.write(new Uint8Array(e.data));
|
||||
ws.onclose = () => {
|
||||
updateTab(tabId, { connected: false });
|
||||
|
||||
Reference in New Issue
Block a user