security: Sprint 00 — critical security fixes (OPC WS auth, Transmission creds, SECRET_KEY, passkey rate limit)
- Add JWT token auth to OPC WebSocket (unauthenticated → 403, per-user tracking) - Externalize Transmission RPC credentials to TRANSMISSION_USER/PASS env vars - Remove hardcoded SECRET_KEY fallback from dev compose - Rate-limit passkey register options endpoint at 5/minute - Add PDD (docs/improvement-plan.md) and sprint specs (specs/) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -2,6 +2,8 @@
|
||||
* OPC WebSocket Client - Real-time updates
|
||||
*/
|
||||
|
||||
import { getToken } from "./api.js";
|
||||
|
||||
let ws = null;
|
||||
let reconnectTimer = null;
|
||||
let listeners = new Set();
|
||||
@@ -12,7 +14,9 @@ export function connect() {
|
||||
}
|
||||
|
||||
const protocol = window.location.protocol === "https:" ? "wss:" : "ws:";
|
||||
const wsUrl = `${protocol}//${window.location.host}/ws/opc`;
|
||||
const token = getToken();
|
||||
const tokenParam = token ? `?token=${encodeURIComponent(token)}` : "";
|
||||
const wsUrl = `${protocol}//${window.location.host}/ws/opc${tokenParam}`;
|
||||
|
||||
ws = new WebSocket(wsUrl);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user