fix: harden dashboard auth and RBAC security flows #33

Merged
jimmy merged 1 commits from dev into main 2026-03-09 23:53:52 +08:00
Owner

Summary

  • harden RBAC by restricting Docker/Files mutating endpoints to admins while keeping read endpoints page-gated
  • move auth to cookie-first flows (login/proxy/refresh/passkey) and add logout cookie clearing
  • remove terminal websocket query token usage on frontend and use cookie-backed refresh/reconnect path

Test plan

  • python3 -m compileall dashboard/backend
  • verify dev container is running healthy after deploy
  • verify deployed container includes new auth cookie + websocket auth markers

🤖 Generated with Claude Code

## Summary - harden RBAC by restricting Docker/Files mutating endpoints to admins while keeping read endpoints page-gated - move auth to cookie-first flows (login/proxy/refresh/passkey) and add logout cookie clearing - remove terminal websocket query token usage on frontend and use cookie-backed refresh/reconnect path ## Test plan - [x] `python3 -m compileall dashboard/backend` - [x] verify dev container is running healthy after deploy - [x] verify deployed container includes new auth cookie + websocket auth markers 🤖 Generated with [Claude Code](https://claude.com/claude-code)
jimmy added 1 commit 2026-03-09 23:53:12 +08:00
fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
4201917e17
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jimmy merged commit 0d50958134 into main 2026-03-09 23:53:52 +08:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: jimmy/nas-tools#33