lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): dedupe handler + error utils refactor

Browse Source 
- Add 401/403 dedup guard to API client to prevent double logout
- Extract fetchError util: isAuthError + getErrorMessage
- AuthProvider uses new error utils, removes duplicate logic
- Remove completed task docs from Tasks.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-05-03 22:13:12 +02:00
parent dafe8d61e2
commit 7fcfc14199
4 changed files with 64 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
Docs/Tasks.md
View File

@@ -1,58 +1,3 @@
### Issue #47: HIGH - CSRF Middleware Hardcodes Cookie Name
**Where found**:
- `backend/app/middleware/csrf.py:38-39` `_SESSION_COOKIE_NAME = "bangui_session"` literal
- `backend/app/utils/constants.py` `SESSION_COOKIE_NAME` constant already exists
**Why this is needed**:
If the session cookie name is changed via configuration, the CSRF middleware will silently stop finding the cookie, either breaking all requests or bypassing CSRF protection depending on the failure mode.
**Goal**:
Use the single source of truth (`SESSION_COOKIE_NAME` constant) everywhere the cookie name is referenced.
**What to do**:
1. Replace the local literal in `csrf.py` with an import of `SESSION_COOKIE_NAME` from `constants.py`.
2. Audit all files for other inline `"bangui_session"` occurrences and replace them.
**Possible traps and issues**:
- If the constant is loaded after middleware is instantiated, ensure import order is safe.
**Docs changes needed**:
- None.
**Doc references**:
- `backend/app/utils/constants.py`
---
### Issue #48: HIGH - CSRF Header Name Has No Shared Constant
**Where found**:
- `backend/app/middleware/csrf.py` header name hardcoded
- `frontend/src/api/client.ts:176` same header name hardcoded independently
**Why this is needed**:
The CSRF header name is duplicated across two codebases with no link between them. Changing it in one place silently breaks CSRF protection.
**Goal**:
Single source of truth for the CSRF header name, consumed by both frontend and backend.
**What to do**:
1. Define `CSRF_HEADER_NAME` in `backend/app/utils/constants.py`.
2. Expose it via a public API endpoint (e.g., `/api/v1/config/constants`) or document it in a shared config file consumed by the frontend build.
3. Reference the constant in `csrf.py` and `client.ts`.
**Possible traps and issues**:
- Exposing security-related header names via API may aid reconnaissance; weigh the trade-off.
**Docs changes needed**:
- `Docs/`: add or update a "Security Headers" section.
**Doc references**:
- `backend/app/middleware/csrf.py`
---
### Issue #49: HIGH - Dual Auth Error Handlers With No Deduplication Guard
**Where found**: