v1.1.0

New Issue

First post-prod-deploy release cycle. Closes the security debt that was deliberately deferred during the Production v1 push so the deploy could ship: the auth model rewrite (session-based auth, CSRF re-enable, session revocation, login rate limiting). Hard cutover release — all in-flight sessions are invalidated on deploy. Anchored by the two replacement issues for #522 (session model cutover + defense-in-depth). Closes when both ship and the AuthTokenCookieFilter is fully removed from the codebase.

No due date

0% Completed

2 Open 0 Closed

Label

Show archived labels Use alt + click/enter to exclude labels

All labels No label

P0-critical

P1-high

P2-medium

P3-later

audit

bug

cleanup

collaboration

conversation

descoped

devops

documentation

epic

feature

file-upload

legibility

notification

person

phase-1: security

phase-2: container-images

phase-3: prod-compose

phase-4: spring-prod-profile

phase-5: backups

phase-6: deployment-docs

phase-7: monitoring

refactor

security

test

ui

user

Project

All projects No project

Author

All users

Assignee

Assigned to nobody Assigned to anybody

Jens marcel

Sort

Newest Oldest Most recently updated Least recently updated Most commented Least commented Nearest due date Farthest due date

feat(auth): defense-in-depth — CSRF, session revocation, login rate limit P1-high feature security

#524 opened 2026-05-11 18:50:20 +02:00 by marcel 0 / 11

8

feat(auth): server-side session model replacing Basic-auth cookie promotion P1-high feature security

#523 opened 2026-05-11 18:49:05 +02:00 by marcel 0 / 8

9