Fork: 0
root / smart-home-server
Browse code
Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync
- Remove access_token from OAuth callback URL (token leak fix)
- Add sanitizeReturnTo() to prevent open redirect on login/callback
- Add Bearer token expiration check in resolve_user_by_bearer()
- Add user status check in load_user_by_id() (block inactive/banned)
- Cache authStore.init() promise to prevent race condition
- Await auth init in router beforeEach guard
- Remove URL token parsing from main.js and LoginPage
- Remove hasTokenInUrl workaround from client.js 401 handler
master
1 parent dc6249e commit e90acee138384fe6ce9aed0842cfab7227937843
@Eugene Sukhodolskiy Eugene Sukhodolskiy authored 4 hours ago
Patch
Unified Split
Showing 15 changed files
View
docs/planning/auth-fix-plan.md 0 → 100644
View
server/SHServ/Controllers/AuthController.php
View
server/SHServ/Integrations/GAuth/AuthControllerTrait.php
View
server/dist/assets/NotFoundPage-ByVMbBKn.js 100644 → 0
View
server/dist/assets/NotFoundPage-DmNfJ50v.js 0 → 100644
View
server/dist/assets/index-B7P9_yBY.js 100644 → 0
View
server/dist/assets/index-CpvNzM6m.css 0 → 100644
View
server/dist/assets/index-CvrfkFYK.css 100644 → 0
View
server/dist/assets/index-DAqizFIn.js 0 → 100644
View
server/dist/index.html
View
webclient/src/api/client.js
View
webclient/src/app/main.js
View
webclient/src/features/auth/pages/LoginPage.vue
View
webclient/src/router/index.js
View
webclient/src/stores/auth.js