elpatron/kapteins-daagbok
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

feat(security): Session-Cookies statt X-User-Id und API-Härtung

Browse Source 
Ersetzt die spoofbare X-User-Id-Auth durch signierte HttpOnly-Sessions nach
WebAuthn, erzwingt WRITE-only Sync, speichert den Master-Key nur im RAM und
ergänzt CORS, Rate-Limits, Helmet sowie Passkey-Reauth für sensible Aktionen.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
elpatron
2026-05-30 13:47:24 +02:00
parent 4f3f530f1f
commit dea33e3f00
33 changed files with 657 additions and 397 deletions
Download Patch File Download Diff File Expand all files Collapse all files
client/src/services/logbookAccess.ts
+4 -7
View File
@@ -1,3 +1,5 @@
import { apiJson } from './api.js'
export interface LogbookAccess {
isOwner: boolean
role: 'OWNER' | 'READ' | 'WRITE'
@@ -5,15 +7,10 @@ export interface LogbookAccess {
}
export async function getLogbookAccess(logbookId: string): Promise<LogbookAccess | null> {
const userId = localStorage.getItem('active_userid')
if (!userId || !navigator.onLine) return null
if (!localStorage.getItem('active_userid') || !navigator.onLine) return null
try {
const res = await fetch(`/api/logbooks/${logbookId}/access`, {
headers: { 'X-User-Id': userId }
})
if (!res.ok) return null
return res.json()
return await apiJson<LogbookAccess>(`/api/logbooks/${logbookId}/access`)
} catch {
return null
}