ToDoList

Author	SHA1	Message	Date
祀梦	f838840bda	feat: add onboarding setup flow with nickname and password Replace default auto-generated password with a first-run setup page that lets users choose their own nickname and password. The /auth/setup endpoint now accepts an optional nickname field (also sets site_name). Remove set_default_password() since setup is now mandatory before login.	2026-05-17 19:45:36 +08:00
祀梦	bfdf0c9987	fix: replace passlib with native bcrypt (Python 3.13 compatibility) passlib 1.7.4 has a known bug with bcrypt 4.x on Python 3.13 where detect_wrap_bug passes an over-72-byte hash as a password, causing ValueError on every login attempt. Switched to bcrypt.hashpw/checkpw directly, removing the passlib dependency entirely. Also fixed 401 page reload on /auth/login endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 17:12:10 +08:00
祀梦	9d4d869d57	fix: harden authentication system (JWT, cookies, rate limiting, password policy) - Replace hardcoded JWT secret with randomly generated key persisted to file - Replace hardcoded default password with random password shown in logs - Migrate token storage from localStorage to HttpOnly SameSite=strict cookie - Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout) - Add token_version for JWT revocation on password change - Add password strength validation (min 6 chars, 3+ unique characters) - Inject decoded user payload into request.state.user in auth middleware - Add /api/auth/me and /api/auth/logout endpoints - Narrow auth middleware exception handling (JWTError only, not all Exception) - Update updated_at timestamp on password change - Remove localStorage token management from frontend (axios, router, store) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 15:54:45 +08:00
祀梦	3c03866021	feat: add JWT authentication and AGENTS.md	2026-05-17 11:21:41 +08:00

4 Commits