caddy-proxy-manager

akanealw/caddy-proxy-manager

Fork 0

Commit Graph

Author	SHA1	Message	Date
akanealw	99819b70ff	added caddy-proxy-manager for testing Some checks failed Build and Push Docker Images (Trusted) / build-and-push (., docker/caddy/Dockerfile, caddy) (push) Has been cancelled Details Build and Push Docker Images (Trusted) / build-and-push (., docker/l4-port-manager/Dockerfile, l4-port-manager) (push) Has been cancelled Details Build and Push Docker Images (Trusted) / build-and-push (., docker/web/Dockerfile, web) (push) Has been cancelled Details Tests / test (push) Has been cancelled Details	2026-04-21 22:49:08 +00:00
fuomag9	75044c8d9b	fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing) - Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only), client sends opaque linkingId, API calls retrieveLinkingToken server-side - link-account rate limiter now uses isRateLimited/registerFailedAttempt/ resetAttempts correctly (count only failures, reset on success) - linking_tokens gains expiresAt column (indexed) + opportunistic expiry purge on insert to prevent unbounded table growth - secureTokenCompare fixed: pad+slice to expected length so timing is constant regardless of submitted token length (no length leak) - autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false - Add Permissions-Policy header; restore X-Frame-Options for legacy UAs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-25 20:58:21 +01:00
fuomag9	be21f46ad5	Added user tab and oauth2, streamlined readme	2025-12-28 15:14:56 +01:00

Author

SHA1

Message

Date

akanealw

99819b70ff

added caddy-proxy-manager for testing

Build and Push Docker Images (Trusted) / build-and-push (., docker/caddy/Dockerfile, caddy) (push) Has been cancelled

Details

Build and Push Docker Images (Trusted) / build-and-push (., docker/l4-port-manager/Dockerfile, l4-port-manager) (push) Has been cancelled

Details

Build and Push Docker Images (Trusted) / build-and-push (., docker/web/Dockerfile, web) (push) Has been cancelled

Details

Tests / test (push) Has been cancelled

Details

2026-04-21 22:49:08 +00:00

fuomag9

75044c8d9b

fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing)

- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only),
  client sends opaque linkingId, API calls retrieveLinkingToken server-side
- link-account rate limiter now uses isRateLimited/registerFailedAttempt/
  resetAttempts correctly (count only failures, reset on success)
- linking_tokens gains expiresAt column (indexed) + opportunistic expiry
  purge on insert to prevent unbounded table growth
- secureTokenCompare fixed: pad+slice to expected length so timing is
  constant regardless of submitted token length (no length leak)
- autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of
  process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false
- Add Permissions-Policy header; restore X-Frame-Options for legacy UAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-02-25 20:58:21 +01:00

fuomag9

be21f46ad5

Added user tab and oauth2, streamlined readme

2025-12-28 15:14:56 +01:00

3 Commits