Ops-dashboard

janpeter/Ops-dashboard

Fork 0

Commit graph

Author	SHA1	Message	Date
Scrum4Me Agent	aa1fd41bec	feat(security): rate-limit /api/flows/start, CSRF double-submit cookie, CSP headers - Rate-limit /api/flows/start to 10 req/min per user (in-memory, matches login pattern) - Add middleware.ts: validates x-csrf-token header against csrf_token cookie on all API POST requests; issues the cookie on GET if missing; sets CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on all responses - Add lib/csrf.ts: client-side apiFetch() wrapper that injects the CSRF header - Update all client components (login, useFlowRun, docker, caddy, git, systemd) to use apiFetch() for POST requests - Cookie config in login route already correct (NODE_ENV check, httpOnly, sameSite=strict) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-13 20:01:43 +02:00
Scrum4Me Agent	be05724de0	feat: login page, session management, auth API routes en proxy guard - lib/session.ts: token generatie, SHA-256 hashing, createSession/getCurrentUser/invalidateSession - app/api/auth/login: bcrypt verificatie, session aanmaken, ops_session cookie (httpOnly, sameSite=strict, 24h TTL), rate-limit 5/min per IP - app/api/auth/logout: session invalideren en cookie verwijderen - app/login/page.tsx: login form (client component) - proxy.ts: route-protectie – redirect naar /login zonder sessie (middleware.ts is deprecated in Next.js 16) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-13 17:10:07 +02:00

Author

SHA1

Message

Date

Scrum4Me Agent

aa1fd41bec

feat(security): rate-limit /api/flows/start, CSRF double-submit cookie, CSP headers

- Rate-limit /api/flows/start to 10 req/min per user (in-memory, matches login pattern)
- Add middleware.ts: validates x-csrf-token header against csrf_token cookie on all
  API POST requests; issues the cookie on GET if missing; sets CSP, X-Frame-Options,
  X-Content-Type-Options, and Referrer-Policy on all responses
- Add lib/csrf.ts: client-side apiFetch() wrapper that injects the CSRF header
- Update all client components (login, useFlowRun, docker, caddy, git, systemd)
  to use apiFetch() for POST requests
- Cookie config in login route already correct (NODE_ENV check, httpOnly, sameSite=strict)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-13 20:01:43 +02:00

Scrum4Me Agent

be05724de0

feat: login page, session management, auth API routes en proxy guard

- lib/session.ts: token generatie, SHA-256 hashing, createSession/getCurrentUser/invalidateSession
- app/api/auth/login: bcrypt verificatie, session aanmaken, ops_session cookie (httpOnly, sameSite=strict, 24h TTL), rate-limit 5/min per IP
- app/api/auth/logout: session invalideren en cookie verwijderen
- app/login/page.tsx: login form (client component)
- proxy.ts: route-protectie – redirect naar /login zonder sessie (middleware.ts is deprecated in Next.js 16)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-13 17:10:07 +02:00

2 commits