Update configuration and documentation
- Update .env.example with latest environment variables - Update deployment and task documentation - Update backend configuration settings Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -1,38 +1,3 @@
|
||||
## [MEDIUM] Session secret rotation not implemented
|
||||
|
||||
**Where found**
|
||||
|
||||
- `backend/app/config.py` — single `session_secret` with no rotation support
|
||||
|
||||
**Why this is needed**
|
||||
|
||||
If secret leaks, all sessions compromised. No way to invalidate old sessions.
|
||||
|
||||
**Goal**
|
||||
|
||||
Support gradual secret rotation without forcing logout.
|
||||
|
||||
**What to do**
|
||||
|
||||
1. Store multiple secrets: current and previous
|
||||
2. Accept tokens signed with either key
|
||||
3. Re-sign tokens with current secret on validation
|
||||
|
||||
**Possible traps and issues**
|
||||
|
||||
- Rotation strategy must be documented
|
||||
- Metrics needed to track secret usage
|
||||
|
||||
**Docs changes needed**
|
||||
|
||||
- Update `Docs/Backend-Development.md` § Session Management
|
||||
|
||||
**Doc references**
|
||||
|
||||
- `Docs/Backend-Development.md`
|
||||
|
||||
---
|
||||
|
||||
## [MEDIUM] No CORS configuration
|
||||
|
||||
**Where found**
|
||||
|
||||
Reference in New Issue
Block a user