fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s

Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Gan, Jimmy
2026-03-09 23:44:23 +08:00
parent e72665c466
commit 4201917e17
11 changed files with 185 additions and 115 deletions
+3 -2
View File
@@ -1,6 +1,7 @@
import docker
from fastapi import APIRouter, Query
from fastapi import APIRouter, Depends, Query
from config import DOCKER_HOST
from rbac import require_admin
router = APIRouter()
client = docker.DockerClient(base_url=DOCKER_HOST)
@@ -21,7 +22,7 @@ def list_containers():
]
@router.post("/containers/{container_id}/{action}")
@router.post("/containers/{container_id}/{action}", dependencies=[Depends(require_admin())])
def container_action(container_id: str, action: str):
if action not in ("start", "stop", "restart"):
return {"error": "invalid action"}