janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Scrum4Me/lib
History
Madhura68 e0bec8c55c feat(ST-1003): add /api/auth/pair/start with rate-limit + pre-auth cookie 
POST /api/auth/pair/start (anon, runtime: 'nodejs'):
- Geen authenticateApiRequest — desktop heeft nog geen sessie
- Genereert los mobileSecret + desktopToken via lib/auth/pairing
- Persisteert alleen sha256-hashes in login_pairings; status='pending', expires_at = now + 2 min
- Slaat user-agent + best-effort IP op (afgekapt op kolom-grootte)
- Set-Cookie via setPairCookie helper: HttpOnly, Path=/api/auth/pair, Max-Age=120, SameSite=Lax
- Response body: { pairingId, mobileSecret, expiresAt, qrUrl } met qrUrl = origin/m/pair#id=…&s=…
  → secret reist alleen via fragment (#…), nooit in querystring of access logs

Rate-limit: 'pair-start' expliciet aan lib/rate-limit.ts CONFIGS toegevoegd
voor self-documentatie (10/min, gelijk aan login).

Tests __tests__/api/pair-start.test.ts (6 cases):
- 200 met body-shape (pairingId, mobileSecret 43-char base64url, qrUrl met
  fragment, expiresAt ISO)
- alleen hashes in DB, geen plaintext
- cookie set met juiste opties
- UA + IP afgekapt op kolom-grootte
- IP=null als x-forwarded-for ontbreekt
- 11e POST levert 429 met NL foutmelding

Quality gates: lint 0 errors, tsc clean (na prisma generate), vitest 117/117.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 22:34:49 +02:00
..
auth feat(ST-1002): add pairing helpers, pre-auth cookie + paired-session guard 2026-04-27 22:23:00 +02:00
realtime feat(M8): Realtime Solo Paneel via Postgres LISTEN/NOTIFY (ST-801..ST-806) (#8) 2026-04-27 13:59:32 +02:00
api-auth.ts feat(M8): Realtime Solo Paneel via Postgres LISTEN/NOTIFY (ST-801..ST-806) (#8) 2026-04-27 13:59:32 +02:00
auth.ts feat(ST-350): add auth helpers — getSession, requireUser, requireWriter, requireProductAccess, requireProductWriter 2026-04-26 16:03:32 +02:00
code-server.ts Todo description, entity codes, REST API extensions and Claude Code hardening (ST-509/511/512/513) (#2) 2026-04-26 23:40:54 +02:00
code.ts fix(ST-507): split server-only code helpers into lib/code-server to keep client bundle clean 2026-04-26 20:42:55 +02:00
env.ts feat: ST-001–ST-005 foundation — scaffolding, Prisma, schema, seed, env 2026-04-22 21:04:48 +02:00
prisma.ts chore: SQLite verwijderd — alleen PostgreSQL via Neon 2026-04-25 12:15:19 +02:00
product-access.ts feat: show active product name in navbar, links to product page 2026-04-26 17:56:50 +02:00
rate-limit.ts feat(ST-1003): add /api/auth/pair/start with rate-limit + pre-auth cookie 2026-04-27 22:34:49 +02:00
session.ts feat(ST-1002): add pairing helpers, pre-auth cookie + paired-session guard 2026-04-27 22:23:00 +02:00
task-status.ts Todo description, entity codes, REST API extensions and Claude Code hardening (ST-509/511/512/513) (#2) 2026-04-26 23:40:54 +02:00
utils.ts feat: ST-001–ST-005 foundation — scaffolding, Prisma, schema, seed, env 2026-04-22 21:04:48 +02:00