fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s

Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Gan, Jimmy
2026-03-09 23:44:23 +08:00
parent e72665c466
commit 4201917e17
11 changed files with 185 additions and 115 deletions
+4 -3
View File
@@ -6,7 +6,7 @@ from collections import Counter
from fastapi import WebSocket, Query
import asyncssh
import config
from auth import get_current_user_ws
import auth
logger = logging.getLogger(__name__)
@@ -95,12 +95,13 @@ async def ws_endpoint(websocket: WebSocket, host: str = Query("nas"), token: str
await websocket.close(code=1008, reason="Unknown host")
return
if not token:
access_token = websocket.cookies.get(auth.ACCESS_COOKIE_NAME) or token
if not access_token:
await websocket.close(code=1008, reason="Unauthorized")
return
try:
user = await get_current_user_ws(token)
user = await auth.get_current_user_ws(access_token)
except Exception:
await websocket.close(code=1008, reason="Unauthorized")
return