Commit Graph

18 Commits

Author SHA1 Message Date
Gan, Jimmy 4201917e17 fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-09 23:44:23 +08:00
Gan, Jimmy 1b9ea140b6 fix: raise terminal per-user session cap
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m44s
Allow more concurrent dashboard terminal tabs per user and use the current access token for websocket reconnects so refreshed sessions keep working.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 10:37:08 +08:00
Gan, Jimmy 44f0ed5d04 fix: harden dashboard auth and terminal flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m29s
Tighten terminal websocket auth and proxy trust handling while making file-backed auth/RBAC writes atomic to reduce high-impact security and persistence risks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 23:53:58 +08:00
Gan, Jimmy c9f06fbbbb fix: keep terminal sessions alive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m23s
Add WebSocket and SSH keepalives so idle dashboard terminal sessions stay connected across proxies and long-running idle periods.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 16:11:43 +08:00
Gan, Jimmy 4f95f0249d feat: add Mac host to dashboard terminal
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m15s
Add a dedicated Mac terminal target with separate SSH host/user/key settings and mount a dedicated Mac key file for dashboard containers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 08:32:54 +08:00
Claude Code da88513456 fix: keep dashboard terminal sessions alive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m5s
Remove backend idle timeout enforcement so terminal sessions persist until the UI disconnects or the SSH process ends.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 05:48:14 +00:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy 3fd045aacb feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy 7f94013bf9 feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy 394a1aa367 security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-26 17:22:25 +08:00
Gan, Jimmy b03b20aee6 feat: terminal tabs with on-demand connections and Claude Dev host 2026-02-26 02:59:25 +08:00
Gan, Jimmy a882f45f2e Add multi-host terminal: NAS + VPS side-by-side 2026-02-20 00:53:29 +08:00
Gan, Jimmy 6f540ccdce Fix terminal: use create_process with binary encoding for PTY I/O 2026-02-19 20:32:36 +08:00
Gan, Jimmy ee2e5dcb3c Terminal: SSH to NAS host instead of container shell
- Rewrite terminal.py to use asyncssh instead of pty/fork
- Add SSH key pair for dashboard container auth
- Mount SSH key and add SSH config vars in docker-compose
- Install openssh-client in Dockerfile
- Add asyncssh to requirements.txt
2026-02-19 19:24:38 +08:00
Gan, Jimmy 69bd41b5a1 Fix terminal: pass JWT via query param, remove Docker-incompatible IP check
Deploy Dashboard / deploy (push) Failing after 2m11s
2026-02-19 17:44:55 +08:00
Gan, Jimmy bf49e13e56 Add settings page with change password, fix terminal ws bug
Deploy Dashboard / deploy (push) Failing after 2m5s
2026-02-19 17:29:03 +08:00
Gan, Jimmy 651bc0580e Phase 7: Auth & Security upgrade (JWT, 2FA, Login UI) 2026-02-19 03:47:48 +08:00
Gan, Jimmy 70aa421d7f Add NAS dashboard MVP: Docker mgmt, Gitea, Files, Terminal 2026-02-19 01:59:50 +08:00