familienarchiv

marcel/familienarchiv

Fork 0

Commit Graph

Author	SHA1	Message	Date
Marcel	96c0aa592c	fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation - Remove unreachable `&& !xsrfToken` condition from `handleFetch` guard; simplify the redundant `cookieParts.length > 0` check that follows it - Add `TOO_MANY_LOGIN_ATTEMPTS` to both Error Handling sections in CLAUDE.md (backend and frontend) so LLMs are aware of the code without looking it up - Add reverse-proxy IP trust and IPv6 address-cycling caveats to ADR-022 Consequences section Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-19 09:23:01 +02:00
Marcel	cb818f4bfa	docs(adr): add ADR-022 for CSRF, session revocation, and rate limiting Documents the double-submit cookie CSRF pattern, sequential token-bucket rate limiter with refund mechanic, and session revocation on password change/reset — all implemented as part of issue #524. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-19 09:23:01 +02:00

Author

SHA1

Message

Date

Marcel

96c0aa592c

fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation

- Remove unreachable `&& !xsrfToken` condition from `handleFetch` guard;
  simplify the redundant `cookieParts.length > 0` check that follows it
- Add `TOO_MANY_LOGIN_ATTEMPTS` to both Error Handling sections in CLAUDE.md
  (backend and frontend) so LLMs are aware of the code without looking it up
- Add reverse-proxy IP trust and IPv6 address-cycling caveats to ADR-022
  Consequences section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 09:23:01 +02:00

Marcel

cb818f4bfa

docs(adr): add ADR-022 for CSRF, session revocation, and rate limiting

Documents the double-submit cookie CSRF pattern, sequential token-bucket
rate limiter with refund mechanic, and session revocation on password
change/reset — all implemented as part of issue #524.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 09:23:01 +02:00

2 Commits