lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c097e552225f2606a2f3cdac9136feb582911d84
BanGUI/Docs/Tasks.md
Lukas c097e55222 fix: setup routing, async bcrypt, password hashing, clean command 
- Add SetupGuard component: redirects to /setup if setup not complete,
  shown as spinner while loading. All routes except /setup now wrapped.
- SetupPage redirects to /login on mount when setup already done.
- Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to
  run_in_executor so they never stall the asyncio event loop.
- Hash password with SHA-256 (SubtleCrypto) before transmission; added
  src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256).
- Add Makefile with make up/down/restart/logs/clean targets.
- Add tests: _check_password async, concurrent bcrypt, expired session,
  login-without-setup, run_setup event-loop interleaving.
- Update Architekture.md and Features.md to reflect all changes.
2026-03-01 19:16:49 +01:00

52 lines
2.3 KiB
Markdown
Raw Blame History

# BanGUI — Task List
This document breaks the entire BanGUI project into development stages, ordered so that each stage builds on the previous one. Every task is described in prose with enough detail for a developer to begin work. References point to the relevant documentation.
---
## ✅ DONE — Issue: Setup forward
**Problem:** No DB present did not forward to setup page; setup page was not redirecting to login when already done.
**Fix:**
- Added `SetupGuard` component (`src/components/SetupGuard.tsx`) that calls `GET /api/setup` on mount and redirects to `/setup` if not complete.
- All routes except `/setup` are now wrapped in `SetupGuard` in `App.tsx`.
- `SetupPage` calls `GET /api/setup` on mount and redirects to `/login` if already complete.
---
## ✅ DONE — Issue: Setup - Error during setup (500)
**Problem:** `POST /api/setup` returned 500 on some runs.
**Root cause:** `bcrypt.hashpw` and `bcrypt.checkpw` are CPU-bound blocking calls. Running them directly in an async FastAPI handler stalls the event loop under concurrent load, causing timeouts / 500 responses.
**Fix:**
- `setup_service.run_setup` now offloads bcrypt hashing to `loop.run_in_executor(None, ...)`.
- `auth_service._check_password` was converted from a sync to an async function, also using `run_in_executor`.
---
## ✅ DONE — Issue: Setup - Security issue (password in plaintext)
**Problem:** `master_password` was transmitted as plain text in the `POST /api/setup` and `POST /api/auth/login` request bodies.
**Fix:**
- Added `src/utils/crypto.ts` with a `sha256Hex(input)` helper using the browser-native `SubtleCrypto` API.
- `SetupPage.handleSubmit` now SHA-256 hashes the password before submission.
- `api/auth.ts login()` now SHA-256 hashes the password before the login POST.
- The backend stores `bcrypt(sha256(password))`. The plaintext never leaves the browser.
---
## ✅ DONE — Clean command
**Problem:** No easy way to wipe all debug compose volumes and start fresh.
**Fix:** Added `Makefile` at the project root with targets:
- `make up` — start the debug stack (detached)
- `make down` — stop the debug stack
- `make restart` — restart the debug stack
- `make logs` — tail all logs
- `make clean``compose down -v --remove-orphans` (removes all debug volumes)
Reference in New Issue View Git Blame Copy Permalink