caddy-proxy-manager

akanealw/caddy-proxy-manager

Fork 0

Commit Graph

Author	SHA1	Message	Date
fuomag9	f3679f7f45	fix: add statement-breakpoint separators to multi-statement migrations Drizzle's better-sqlite3 migrator splits on '--> statement-breakpoint'. Without it, the entire file is passed to db.prepare() as a single statement, which better-sqlite3 rejects with 'more than one statement'. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-26 00:54:56 +01:00
fuomag9	75044c8d9b	fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing) - Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only), client sends opaque linkingId, API calls retrieveLinkingToken server-side - link-account rate limiter now uses isRateLimited/registerFailedAttempt/ resetAttempts correctly (count only failures, reset on success) - linking_tokens gains expiresAt column (indexed) + opportunistic expiry purge on insert to prevent unbounded table growth - secureTokenCompare fixed: pad+slice to expected length so timing is constant regardless of submitted token length (no length leak) - autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false - Add Permissions-Policy header; restore X-Frame-Options for legacy UAs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-25 20:58:21 +01:00
fuomag9	9a189ea342	fix: store OAuth linking token server-side, remove JWT from URL and audit log Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-25 09:31:27 +01:00

Author

SHA1

Message

Date

fuomag9

f3679f7f45

fix: add statement-breakpoint separators to multi-statement migrations

Drizzle's better-sqlite3 migrator splits on '--> statement-breakpoint'.
Without it, the entire file is passed to db.prepare() as a single
statement, which better-sqlite3 rejects with 'more than one statement'.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-02-26 00:54:56 +01:00

fuomag9

75044c8d9b

fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing)

- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only),
  client sends opaque linkingId, API calls retrieveLinkingToken server-side
- link-account rate limiter now uses isRateLimited/registerFailedAttempt/
  resetAttempts correctly (count only failures, reset on success)
- linking_tokens gains expiresAt column (indexed) + opportunistic expiry
  purge on insert to prevent unbounded table growth
- secureTokenCompare fixed: pad+slice to expected length so timing is
  constant regardless of submitted token length (no length leak)
- autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of
  process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false
- Add Permissions-Policy header; restore X-Frame-Options for legacy UAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-02-25 20:58:21 +01:00

fuomag9

9a189ea342

fix: store OAuth linking token server-side, remove JWT from URL and audit log

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-02-25 09:31:27 +01:00

3 Commits