ToDoList

si-meng-spec/ToDoList

Fork 0

Commit Graph

Author	SHA1	Message	Date
祀梦	bfdf0c9987	fix: replace passlib with native bcrypt (Python 3.13 compatibility) passlib 1.7.4 has a known bug with bcrypt 4.x on Python 3.13 where detect_wrap_bug passes an over-72-byte hash as a password, causing ValueError on every login attempt. Switched to bcrypt.hashpw/checkpw directly, removing the passlib dependency entirely. Also fixed 401 page reload on /auth/login endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 17:12:10 +08:00
祀梦	9d4d869d57	fix: harden authentication system (JWT, cookies, rate limiting, password policy) - Replace hardcoded JWT secret with randomly generated key persisted to file - Replace hardcoded default password with random password shown in logs - Migrate token storage from localStorage to HttpOnly SameSite=strict cookie - Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout) - Add token_version for JWT revocation on password change - Add password strength validation (min 6 chars, 3+ unique characters) - Inject decoded user payload into request.state.user in auth middleware - Add /api/auth/me and /api/auth/logout endpoints - Narrow auth middleware exception handling (JWTError only, not all Exception) - Update updated_at timestamp on password change - Remove localStorage token management from frontend (axios, router, store) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 15:54:45 +08:00
祀梦	3c03866021	feat: add JWT authentication and AGENTS.md	2026-05-17 11:21:41 +08:00

Author

SHA1

Message

Date

祀梦

bfdf0c9987

fix: replace passlib with native bcrypt (Python 3.13 compatibility)

passlib 1.7.4 has a known bug with bcrypt 4.x on Python 3.13 where
detect_wrap_bug passes an over-72-byte hash as a password, causing
ValueError on every login attempt.

Switched to bcrypt.hashpw/checkpw directly, removing the passlib
dependency entirely.

Also fixed 401 page reload on /auth/login endpoint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-17 17:12:10 +08:00

祀梦

9d4d869d57

fix: harden authentication system (JWT, cookies, rate limiting, password policy)

- Replace hardcoded JWT secret with randomly generated key persisted to file
- Replace hardcoded default password with random password shown in logs
- Migrate token storage from localStorage to HttpOnly SameSite=strict cookie
- Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout)
- Add token_version for JWT revocation on password change
- Add password strength validation (min 6 chars, 3+ unique characters)
- Inject decoded user payload into request.state.user in auth middleware
- Add /api/auth/me and /api/auth/logout endpoints
- Narrow auth middleware exception handling (JWTError only, not all Exception)
- Update updated_at timestamp on password change
- Remove localStorage token management from frontend (axios, router, store)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-17 15:54:45 +08:00

祀梦

3c03866021

feat: add JWT authentication and AGENTS.md

2026-05-17 11:21:41 +08:00

3 Commits