Gan, Jimmy
30a8196c12
fix: S06.6 guard window.isSecureContext in Login.svelte (SSR-safe) / S06.7 remove legacy localStorage refresh token
2026-07-10 22:57:31 +08:00
Gan, Jimmy
4201917e17
fix: harden dashboard RBAC and cookie auth flows
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-09 23:44:23 +08:00
Gan, Jimmy
2da9d47bdd
Fix passkey login on non-HTTPS connections
2026-02-22 16:52:27 +08:00
Gan, Jimmy
be1f3b3ad6
Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
...
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy
651bc0580e
Phase 7: Auth & Security upgrade (JWT, 2FA, Login UI)
2026-02-19 03:47:48 +08:00