si-meng-spec/ToDoList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16 Commits 1 Branch 0 Tags
0ab719500be3dcea76393e36bbb1d60f27ea0fa0
Commit Graph

6 Commits

Author SHA1 Message Date
祀梦
0ab719500b feat: add WebDAV sync support and startup/shutdown scripts 
Backend:
- Add uuid, sync_version, is_deleted fields to all syncable models
- Add SyncSettings model for WebDAV configuration (AES-256-GCM encrypted passwords)
- Add crypto.py: AES-256-GCM encryption derived from JWT_SECRET via PBKDF2
- Add sync_lock.py: thread-level sync lock with 503 middleware for write blocking
- Add webdav.py: WebDAV client using requests (PUT/GET/MKCOL/DELETE)
- Add sync_service.py: push/pull/bidirectional merge with LWW conflict resolution
- Add sync router with 8 endpoints: config, test, push, pull, sync, status, remote delete
- Add UUID backfill for existing records in init_db()
- Add SQLAlchemy before_update event to auto-increment sync_version
- Register sync middleware to block writes during sync (503)

Frontend:
- Add sync API client (WebUI/src/api/sync.ts)
- Add useSyncStore with config, test, push/pull/sync operations
- Add WebDAV config + sync UI in SettingsView
- Add 503 status code handling in axios interceptor
- Add uuid field to all TypeScript type definitions

Scripts:
- Add scripts/start.bat and scripts/stop.bat for project management

Design doc: docs/plan/webdav-sync-design.md
 2026-05-17 21:18:54 +08:00
祀梦
f838840bda feat: add onboarding setup flow with nickname and password 
Replace default auto-generated password with a first-run setup page that
lets users choose their own nickname and password. The /auth/setup endpoint
now accepts an optional nickname field (also sets site_name). Remove
set_default_password() since setup is now mandatory before login.
 2026-05-17 19:45:36 +08:00
祀梦
bfdf0c9987 fix: replace passlib with native bcrypt (Python 3.13 compatibility) 
passlib 1.7.4 has a known bug with bcrypt 4.x on Python 3.13 where
detect_wrap_bug passes an over-72-byte hash as a password, causing
ValueError on every login attempt.

Switched to bcrypt.hashpw/checkpw directly, removing the passlib
dependency entirely.

Also fixed 401 page reload on /auth/login endpoint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 17:12:10 +08:00
祀梦
9d4d869d57 fix: harden authentication system (JWT, cookies, rate limiting, password policy) 
- Replace hardcoded JWT secret with randomly generated key persisted to file
- Replace hardcoded default password with random password shown in logs
- Migrate token storage from localStorage to HttpOnly SameSite=strict cookie
- Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout)
- Add token_version for JWT revocation on password change
- Add password strength validation (min 6 chars, 3+ unique characters)
- Inject decoded user payload into request.state.user in auth middleware
- Add /api/auth/me and /api/auth/logout endpoints
- Narrow auth middleware exception handling (JWTError only, not all Exception)
- Update updated_at timestamp on password change
- Remove localStorage token management from frontend (axios, router, store)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 15:54:45 +08:00
祀梦
3c03866021 feat: add JWT authentication and AGENTS.md 2026-05-17 11:21:41 +08:00
祀梦
2979197b1c release: Elysia ToDo v1.0.0 
鍏ㄦ爤涓汉淇℃伅绠$悊搴旂敤锛岄泦鎴愬緟鍔炰换鍔°€佷範鎯墦鍗°€佺邯蹇垫棩鎻愰啋銆佽祫浜ф€昏鍔熻兘銆

Made-with: Cursor
 2026-03-14 22:21:26 +08:00