root/smart-home-server

Fork: 0

root / smart-home-server

History for smart-home-server / docs / planning / auth-fix-plan.md

2026-06-07	0958b86 Browse files » Update auth-fix-plan: mark Phase 1 tasks completed Eugene Sukhodolskiy committed 7 hours ago
e90acee Browse files » Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ... - Remove access_token from OAuth callback URL (token leak fix) - Add sanitizeReturnTo() to prevent open redirect on login/callback - Add Bearer token expiration check in resolve_user_by_bearer() - Add user status check in load_user_by_id() (block inactive/banned) - Cache authStore.init() promise to prevent race condition - Await auth init in router beforeEach guard - Remove URL token parsing from main.js and LoginPage - Remove hasTokenInUrl workaround from client.js 401 handler Eugene Sukhodolskiy committed 7 hours ago

2026-06-07

0958b86
Browse files »

Update auth-fix-plan: mark Phase 1 tasks completed

Eugene Sukhodolskiy committed 7 hours ago

e90acee
Browse files »

Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ...

- Remove access_token from OAuth callback URL (token leak fix)
- Add sanitizeReturnTo() to prevent open redirect on login/callback
- Add Bearer token expiration check in resolve_user_by_bearer()
- Add user status check in load_user_by_id() (block inactive/banned)
- Cache authStore.init() promise to prevent race condition
- Await auth init in router beforeEach guard
- Remove URL token parsing from main.js and LoginPage
- Remove hasTokenInUrl workaround from client.js 401 handler

Eugene Sukhodolskiy committed 7 hours ago