familienarchiv

marcel/familienarchiv

Fork 0

Commit Graph

Author	SHA1	Message	Date
Marcel	687a2590c7	fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation All checks were successful CI / Unit & Component Tests (pull_request) Successful in 3m14s Details CI / OCR Service Tests (pull_request) Successful in 20s Details CI / Backend Unit Tests (pull_request) Successful in 3m7s Details CI / fail2ban Regex (pull_request) Successful in 45s Details CI / Semgrep Security Scan (pull_request) Successful in 20s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m0s Details - Remove unreachable `&& !xsrfToken` condition from `handleFetch` guard; simplify the redundant `cookieParts.length > 0` check that follows it - Add `TOO_MANY_LOGIN_ATTEMPTS` to both Error Handling sections in CLAUDE.md (backend and frontend) so LLMs are aware of the code without looking it up - Add reverse-proxy IP trust and IPv6 address-cycling caveats to ADR-022 Consequences section Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-19 07:41:04 +02:00
Marcel	1052295a6e	docs(adr): add ADR-022 for CSRF, session revocation, and rate limiting Documents the double-submit cookie CSRF pattern, sequential token-bucket rate limiter with refund mechanic, and session revocation on password change/reset — all implemented as part of issue #524. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-18 13:40:19 +02:00

Author

SHA1

Message

Date

Marcel

687a2590c7

fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation

CI / Unit & Component Tests (pull_request) Successful in 3m14s

Details

CI / OCR Service Tests (pull_request) Successful in 20s

Details

CI / Backend Unit Tests (pull_request) Successful in 3m7s

Details

CI / fail2ban Regex (pull_request) Successful in 45s

Details

CI / Semgrep Security Scan (pull_request) Successful in 20s

Details

CI / Compose Bucket Idempotency (pull_request) Successful in 1m0s

Details

- Remove unreachable `&& !xsrfToken` condition from `handleFetch` guard;
  simplify the redundant `cookieParts.length > 0` check that follows it
- Add `TOO_MANY_LOGIN_ATTEMPTS` to both Error Handling sections in CLAUDE.md
  (backend and frontend) so LLMs are aware of the code without looking it up
- Add reverse-proxy IP trust and IPv6 address-cycling caveats to ADR-022
  Consequences section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 07:41:04 +02:00

Marcel

1052295a6e

docs(adr): add ADR-022 for CSRF, session revocation, and rate limiting

Documents the double-submit cookie CSRF pattern, sequential token-bucket
rate limiter with refund mechanic, and session revocation on password
change/reset — all implemented as part of issue #524.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-18 13:40:19 +02:00

2 Commits