lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c097e552225f2606a2f3cdac9136feb582911d84
BanGUI/Docs/Tasks.md
Lukas c097e55222 fix: setup routing, async bcrypt, password hashing, clean command 
- Add SetupGuard component: redirects to /setup if setup not complete,
  shown as spinner while loading. All routes except /setup now wrapped.
- SetupPage redirects to /login on mount when setup already done.
- Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to
  run_in_executor so they never stall the asyncio event loop.
- Hash password with SHA-256 (SubtleCrypto) before transmission; added
  src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256).
- Add Makefile with make up/down/restart/logs/clean targets.
- Add tests: _check_password async, concurrent bcrypt, expired session,
  login-without-setup, run_setup event-loop interleaving.
- Update Architekture.md and Features.md to reflect all changes.
2026-03-01 19:16:49 +01:00

2.3 KiB
Raw Blame History

BanGUI — Task List

This document breaks the entire BanGUI project into development stages, ordered so that each stage builds on the previous one. Every task is described in prose with enough detail for a developer to begin work. References point to the relevant documentation.

DONE — Issue: Setup forward

Problem: No DB present did not forward to setup page; setup page was not redirecting to login when already done.

Fix:

  • Added SetupGuard component (src/components/SetupGuard.tsx) that calls GET /api/setup on mount and redirects to /setup if not complete.
  • All routes except /setup are now wrapped in SetupGuard in App.tsx.
  • SetupPage calls GET /api/setup on mount and redirects to /login if already complete.

DONE — Issue: Setup - Error during setup (500)

Problem: POST /api/setup returned 500 on some runs.

Root cause: bcrypt.hashpw and bcrypt.checkpw are CPU-bound blocking calls. Running them directly in an async FastAPI handler stalls the event loop under concurrent load, causing timeouts / 500 responses.

Fix:

  • setup_service.run_setup now offloads bcrypt hashing to loop.run_in_executor(None, ...).
  • auth_service._check_password was converted from a sync to an async function, also using run_in_executor.

DONE — Issue: Setup - Security issue (password in plaintext)

Problem: master_password was transmitted as plain text in the POST /api/setup and POST /api/auth/login request bodies.

Fix:

  • Added src/utils/crypto.ts with a sha256Hex(input) helper using the browser-native SubtleCrypto API.
  • SetupPage.handleSubmit now SHA-256 hashes the password before submission.
  • api/auth.ts login() now SHA-256 hashes the password before the login POST.
  • The backend stores bcrypt(sha256(password)). The plaintext never leaves the browser.

DONE — Clean command

Problem: No easy way to wipe all debug compose volumes and start fresh.

Fix: Added Makefile at the project root with targets:

  • make up — start the debug stack (detached)
  • make down — stop the debug stack
  • make restart — restart the debug stack
  • make logs — tail all logs
  • make cleancompose down -v --remove-orphans (removes all debug volumes)
Reference in New Issue View Git Blame Copy Permalink