fix: setup routing, async bcrypt, password hashing, clean command
- Add SetupGuard component: redirects to /setup if setup not complete, shown as spinner while loading. All routes except /setup now wrapped. - SetupPage redirects to /login on mount when setup already done. - Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to run_in_executor so they never stall the asyncio event loop. - Hash password with SHA-256 (SubtleCrypto) before transmission; added src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256). - Add Makefile with make up/down/restart/logs/clean targets. - Add tests: _check_password async, concurrent bcrypt, expired session, login-without-setup, run_setup event-loop interleaving. - Update Architekture.md and Features.md to reflect all changes.
This commit is contained in:
23
frontend/src/utils/crypto.ts
Normal file
23
frontend/src/utils/crypto.ts
Normal file
@@ -0,0 +1,23 @@
|
||||
/**
|
||||
* Client-side cryptography utilities.
|
||||
*
|
||||
* Uses the browser-native SubtleCrypto API so no third-party bundle is required.
|
||||
*/
|
||||
|
||||
/**
|
||||
* Return the SHA-256 hex digest of `input`.
|
||||
*
|
||||
* Hashing passwords before transmission means the plaintext never leaves the
|
||||
* browser, even when HTTPS is not enforced in a development environment.
|
||||
* The backend then applies bcrypt on top of the received hash.
|
||||
*
|
||||
* @param input - The string to hash (e.g. the master password).
|
||||
* @returns Lowercase hex-encoded SHA-256 digest.
|
||||
*/
|
||||
export async function sha256Hex(input: string): Promise<string> {
|
||||
const data = new TextEncoder().encode(input);
|
||||
const hashBuffer = await crypto.subtle.digest("SHA-256", data);
|
||||
return Array.from(new Uint8Array(hashBuffer))
|
||||
.map((b) => b.toString(16).padStart(2, "0"))
|
||||
.join("");
|
||||
}
|
||||
Reference in New Issue
Block a user