Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption

- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
This commit is contained in:
Gan, Jimmy
2026-02-22 10:54:23 +08:00
parent a10cb50ca0
commit be1f3b3ad6
10 changed files with 484 additions and 46 deletions
+2 -1
View File
@@ -9,7 +9,7 @@
import Settings from "./routes/Settings.svelte";
import Login from "./routes/Login.svelte";
import { onMount } from "svelte";
import { getToken, checkAuth, setToken } from "./lib/api.js";
import { getToken, checkAuth, setToken, setRefreshToken } from "./lib/api.js";
let page = $state("dashboard");
let dark = $state(false);
@@ -60,6 +60,7 @@
function logout() {
setToken("");
setRefreshToken("");
window.location.reload();
}
</script>