security: Sprint 00 — critical security fixes (OPC WS auth, Transmission creds, SECRET_KEY, passkey rate limit)

- Add JWT token auth to OPC WebSocket (unauthenticated → 403, per-user tracking)
- Externalize Transmission RPC credentials to TRANSMISSION_USER/PASS env vars
- Remove hardcoded SECRET_KEY fallback from dev compose
- Rate-limit passkey register options endpoint at 5/minute
- Add PDD (docs/improvement-plan.md) and sprint specs (specs/)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Gan, Jimmy
2026-05-03 13:31:25 +08:00
parent 5c7d185953
commit ddaf3c6cee
16 changed files with 987 additions and 21 deletions
+3 -1
View File
@@ -18,7 +18,7 @@ services:
- CADDY_VPS_SSH_USER=ubuntu
- MAC_SSH_HOST=192.168.31.22
- MAC_SSH_USER=jimmyg
- SECRET_KEY=${SECRET_KEY:-c0e8dcd74b2d70c596dfa03928f2582ca8d88af04896a82ee6c2aeeaa6bd6199}
- SECRET_KEY=${SECRET_KEY}
- ADMIN_USER=jimmy
- ADMIN_PASSWORD_HASH=${ADMIN_PASSWORD_HASH}
- TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN:-}
@@ -31,6 +31,8 @@ services:
- LITELLM_API_KEY=anything
- LITELLM_HEALTH_API_KEY=${LITELLM_HEALTH_API_KEY:-}
- GITEA_DB_PASSWORD=${GITEA_DB_PASSWORD}
- TRANSMISSION_USER=${TRANSMISSION_USER:-admin}
- TRANSMISSION_PASS=${TRANSMISSION_PASS:-admin}
volumes:
- /volume1:/volume1
- /volume1/docker/nas-dashboard/ssh/dashboard_terminal:/app/ssh/id_ed25519:ro