akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
1,947 Commits 2 Branches 4 Tags
75044c8d9b601c559c1e1e4d397fc5fd2caccc85
Commit Graph

4 Commits

Author SHA1 Message Date
fuomag9
75044c8d9b fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing) 
- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only),
  client sends opaque linkingId, API calls retrieveLinkingToken server-side
- link-account rate limiter now uses isRateLimited/registerFailedAttempt/
  resetAttempts correctly (count only failures, reset on success)
- linking_tokens gains expiresAt column (indexed) + opportunistic expiry
  purge on insert to prevent unbounded table growth
- secureTokenCompare fixed: pad+slice to expected length so timing is
  constant regardless of submitted token length (no length leak)
- autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of
  process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false
- Add Permissions-Policy header; restore X-Frame-Options for legacy UAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-02-25 20:58:21 +01:00
fuomag9
b2238f3101 fix: gate unsafe-eval to dev, drop redundant X-Frame-Options, document PKCE+state 
- CSP script-src 'unsafe-eval' is now dev-only; Next.js HMR needs it in
  development but the production standalone build does not
- Remove X-Frame-Options: DENY since frame-ancestors 'none' in CSP supersedes
  it in all modern browsers; keeping both creates a maintenance hazard
- Add comment explaining why state check is added alongside PKCE default

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-02-25 20:36:43 +01:00
fuomag9
48385684f9 fix: add PKCE to OAuth checks and HTTP security response headers 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-02-25 18:43:00 +01:00
fuomag9
315192fb54 first rewrite commit 2025-10-31 20:08:28 +01:00