Gan, Jimmy
3888a57642
chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy
29a9e9d881
feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00
Gan, Jimmy
394a1aa367
security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
...
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-02-26 17:22:25 +08:00
Gan, Jimmy
332696689a
fix: support port 8443 origin for WebAuthn passkeys and CORS
2026-02-26 02:00:29 +08:00
Gan, Jimmy
6c3bb26c3d
Clean up: remove stale scripts/docs, fix debug prints, update PLAN.md
2026-02-24 10:14:48 +08:00
Gan, Jimmy
19b3de3c91
Show passkey names and dates, add individual delete
2026-02-22 12:20:05 +08:00
Gan, Jimmy
be1f3b3ad6
Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
...
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy
b1dee47126
Add CORS, rate limiting, security headers, and files endpoint protection
2026-02-21 11:18:29 +08:00
Gan, Jimmy
17e7073fab
Fix proxy env bug in Telegram alert
2026-02-20 22:21:16 +08:00
Gan, Jimmy
dd3e8e0d2c
security: remove hardcoded secrets, add health endpoint, add security headers
2026-02-20 22:04:01 +08:00
Gan, Jimmy
197b7c1cbb
Fix session expiry: use config value, increase to 7 days
...
- LOGIN was ignoring ACCESS_TOKEN_EXPIRE_MINUTES (hardcoded 15min default)
- Pass expires_delta from config in login route
- Increase token lifetime from 30min to 7 days
2026-02-19 19:44:30 +08:00
Gan, Jimmy
bf49e13e56
Add settings page with change password, fix terminal ws bug
Deploy Dashboard / deploy (push) Failing after 2m5s
2026-02-19 17:29:03 +08:00
Gan, Jimmy
651bc0580e
Phase 7: Auth & Security upgrade (JWT, 2FA, Login UI)
2026-02-19 03:47:48 +08:00