BanGUI

lukas.pupkalipinski/BanGUI

Fork 0

Commit Graph

Author	SHA1	Message	Date
Lukas	81f009e323	TASK-022: Hash session tokens in database for security - Store session tokens as one-way SHA256 hashes instead of plaintext - Hash tokens on write (create_session) and on read (get_session, delete_session) - Add migration to drop plaintext sessions table and recreate with token_hash column - Update Session model: token field still contains raw token for signing - Add test to verify tokens are hashed in database, not plaintext - Update Architekture.md to document session token hashing - Update Backend-Development.md with implementation pattern and best practices Prevents direct session token hijacking if database file is exposed to attacker. If plaintext DB was readable, sessions are invalidated by the migration anyway. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-26 14:36:21 +02:00
Lukas	750785680b	feat: Stage 2 — authentication and setup flow Backend (tasks 2.1–2.6, 2.10): - settings_repo: get/set/delete/get_all CRUD for the key-value settings table - session_repo: create/get/delete/delete_expired for session rows - setup_service: bcrypt password hashing, one-time-only enforcement, run_setup() / is_setup_complete() / get_password_hash() - auth_service: login() with bcrypt verify + token creation, validate_session() with expiry check, logout() - setup router: GET /api/setup (status), POST /api/setup (201 / 409) - auth router: POST /api/auth/login (token + HttpOnly cookie), POST /api/auth/logout (clears cookie, idempotent) - SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done - require_auth dependency: cookie or Bearer token → Session or 401 - conftest.py: manually bootstraps app.state.db for router tests (ASGITransport does not trigger ASGI lifespan) - 85 tests pass; ruff 0 errors; mypy --strict 0 errors Frontend (tasks 2.7–2.9): - types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts - AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout) - RequireAuth: guard component → /login?next=<path> when unauthenticated - SetupPage: Fluent UI form, client-side validation, inline errors - LoginPage: single password input, ?next= redirect after success - DashboardPage: placeholder (full impl Stage 5) - App.tsx: full route tree (/setup, /login, /, *)	2026-02-28 21:33:30 +01:00

Author

SHA1

Message

Date

Lukas

81f009e323

TASK-022: Hash session tokens in database for security

- Store session tokens as one-way SHA256 hashes instead of plaintext
- Hash tokens on write (create_session) and on read (get_session, delete_session)
- Add migration to drop plaintext sessions table and recreate with token_hash column
- Update Session model: token field still contains raw token for signing
- Add test to verify tokens are hashed in database, not plaintext
- Update Architekture.md to document session token hashing
- Update Backend-Development.md with implementation pattern and best practices

Prevents direct session token hijacking if database file is exposed to attacker.
If plaintext DB was readable, sessions are invalidated by the migration anyway.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

2026-04-26 14:36:21 +02:00

Lukas

750785680b

feat: Stage 2 — authentication and setup flow

Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
  run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
  validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
               POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
  (ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors

Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)

2026-02-28 21:33:30 +01:00

2 Commits