root/smart-home-server

Fork: 0

root / smart-home-server

History for smart-home-server / webclient / src / features / auth / pages

2026-06-07	e90acee Browse files » Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ... - Remove access_token from OAuth callback URL (token leak fix) - Add sanitizeReturnTo() to prevent open redirect on login/callback - Add Bearer token expiration check in resolve_user_by_bearer() - Add user status check in load_user_by_id() (block inactive/banned) - Cache authStore.init() promise to prevent race condition - Await auth init in router beforeEach guard - Remove URL token parsing from main.js and LoginPage - Remove hasTokenInUrl workaround from client.js 401 handler Eugene Sukhodolskiy committed 8 hours ago
2026-06-07	7f7ad82 Browse files » Integrate Vue webclient into server: serve SPA from /, remove proxy.php, update auth redirects Eugene Sukhodolskiy committed 9 hours ago
2026-06-06	74d4c0f Browse files » Route all auth/login requests through proxy.php for cross-domain SPA ... - Replace direct /auth/login with /proxy.php?path=/auth/login so the request reaches the PHP backend through proxy.php when the SPA runs on a different domain (panel.smarthome.arp vs 192.168.1.101). - Pass full window.location.href as return_to so the OAuth callback redirects back to the panel domain, not the bare server IP. Eugene Sukhodolskiy committed 22 hours ago
	7cf585f Browse files » Add Bearer token persistence for cross-domain SPA auth ... - api/auth.js: persist access token in localStorage so it survives page reloads and works across domains (panel vs server IP). - LoginPage.vue: on mount, check for access_token in URL query params (from OAuth callback) and initialize auth store. - AuthController::callback(): append access_token + expires_in to the redirect URL so the SPA can capture it. Eugene Sukhodolskiy committed 23 hours ago
	de66b06 Browse files » Improve LoginPage design: centered card with brand, hint and clear auth button ... - Replace GnEmptyState with custom centered login card - Add brand icon, title and subtitle - Make 'Sign in with gnexus-auth' button large and full-width - Show session-check spinner while authStore.init() runs - Rebuild production dist/ Eugene Sukhodolskiy committed 1 day ago
	ac97fa4 Browse files » Phase 4: Vue client auth store, Bearer token injection, router guards, login page ... Server: - AuthControllerTrait now supports both session and Bearer token auth (resolves user from Authorization: Bearer header via shserv_sessions) Vue client: - Add api/auth.js module for access token management - Inject Authorization: Bearer header in http.js - Handle 401 in client.js: clear token + redirect to /auth/login - New Pinia auth store (stores/auth.js): init, refreshToken, logout, hasPermission - New usePermission composable - Router guards: redirect unauthenticated to /login, permission-based route blocking - New LoginPage.vue with gnexus-auth login button - AppShell: conditional nav items by permission, user bar with logout - main.js: initialize auth before mounting app - MSW mocks: /auth/me, /auth/logout, /auth/refresh - Fix AppShell.spec.js for Pinia + router setup All 167 tests pass. Eugene Sukhodolskiy committed 1 day ago