Skip to content

feat(security): auth & session security overhaul #803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ding113 wants to merge 45 commits into from
Closed

feat(security): auth & session security overhaul #803

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
f20ec3c
feat(auth): wave 1 - login route contract, cookie TDD, loading state,…
ding113 Feb 17, 2026
51374f6
feat(login): wave 2 - redirect safety, visual redesign, footer integr…
ding113 Feb 17, 2026
7721bcc
refactor(auth): wave 3 - role metadata, cookie constant unification, …
ding113 Feb 17, 2026
b04e5f1
test(login): wave 4 - regression matrix, quality gates, stabilization
ding113 Feb 17, 2026
6f48c98
feat(security): wave 5 - session contract, store, cookie hardening, a…
ding113 Feb 17, 2026
caa6929
feat(security): wave 6 - opaque session login, dual-read auth, logout…
ding113 Feb 17, 2026
e85a604
feat(security): wave 7 - security headers integration, regression sui…
ding113 Feb 17, 2026
af39acb
feat(auth): switch session token mode to opaque by default
ding113 Feb 18, 2026
6e9b3ff
fix(test): hoist mock fns to survive vitest mockReset between tests
ding113 Feb 18, 2026
75c6118
refactor(auth): use Web Crypto API for session ID generation
ding113 Feb 18, 2026
3a977e7
feat(provider): add batch patch operation types
ding113 Feb 18, 2026
d9eead7
feat(provider): add batch patch validation and normalization
ding113 Feb 18, 2026
741bc18
test(provider): add batch patch contract validation tests
ding113 Feb 18, 2026
13b0f61
feat(auth): add admin token session support for virtual user
ding113 Feb 18, 2026
fb1fe8a
test(auth): add admin token session validation tests
ding113 Feb 18, 2026
7d87e4c
refactor(proxy): delegate session validation to downstream layouts
ding113 Feb 18, 2026
aa37b04
test(proxy): add cookie passthrough behavior tests
ding113 Feb 18, 2026
711a1d6
feat(providers): add batch patch error code constants
ding113 Feb 18, 2026
6150d8b
feat(providers): implement batch patch preview, apply, and undo actions
ding113 Feb 18, 2026
93431b7
test(providers): add batch patch action contract tests
ding113 Feb 18, 2026
f8ff092
fix(security): normalize origin to lowercase in CSRF guard
ding113 Feb 18, 2026
849bd0f
refactor(auth): improve error handling and lazy-load session store
ding113 Feb 18, 2026
72189da
fix(auth): remove redundant read in session rotation
ding113 Feb 18, 2026
cbe8063
fix(auth): reset session store promise on import failure
ding113 Feb 18, 2026
809072b
test(auth): update import paths and add missing mocks
ding113 Feb 18, 2026
a2d3503
chore: format code (feat-security-auth-overhaul-809072b)
github-actions[bot] Feb 18, 2026
a471494
fix(auth): strengthen userId validation in session parser
ding113 Feb 18, 2026
3fe805c
style(auth): format code and fix test expectation
ding113 Feb 18, 2026
b360cfa
fix(auth): add type assertion for userId in parseSessionData
github-actions[bot] Feb 18, 2026
c834fe6
feat(i18n): add password visibility and brand tagline translations
ding113 Feb 18, 2026
8255245
feat(auth): redesign login page with split panel layout and animations
ding113 Feb 18, 2026
6d868de
test(auth): update login page tests for redesigned UI
ding113 Feb 18, 2026
c992076
fix(auth): prevent session rotation on expired sessions
ding113 Feb 18, 2026
74ee2e4
test(auth): add session expiration and rotation edge case coverage
ding113 Feb 18, 2026
d0ff83c
perf(security): add memory-bounded sweep for login abuse tracking
ding113 Feb 18, 2026
e01b418
fix(security): validate CSP report-uri to prevent directive injection
ding113 Feb 18, 2026
a58f62c
test(security): add case-insensitive origin matching coverage
ding113 Feb 18, 2026
1191396
refactor(providers): extract thinking budget editor into reusable com…
ding113 Feb 18, 2026
01af76b
feat(providers): add adaptive thinking configuration editor
ding113 Feb 18, 2026
557f6c7
refactor(providers): use extracted thinking budget editor in routing …
ding113 Feb 18, 2026
e8de044
feat(providers): add in-memory undo snapshot store with TTL
ding113 Feb 18, 2026
fed2bb6
feat(providers): support advanced routing fields in batch updates
ding113 Feb 18, 2026
470d2ca
test(settings): add adaptive thinking editor component tests
ding113 Feb 18, 2026
763c879
test(settings): add comprehensive tests for adaptive thinking editor
ding113 Feb 18, 2026
902b4e3
fix: remove orphan test code outside describe blocks
github-actions[bot] Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion messages/en/auth.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{
"form": {
"title": "Login Panel",
"description": "Access the unified admin console with your API Key"
"description": "Access the unified admin console with your API Key",
"showPassword": "Show password",
"hidePassword": "Hide password"
},
"login": {
"title": "Login",
Expand All @@ -20,6 +22,9 @@
"placeholders": {
"apiKeyExample": "e.g. sk-xxxxxxxx"
},
"brand": {
"tagline": "Unified API management console"
},
"actions": {
"enterConsole": "Enter Console",
"viewUsageDoc": "View Usage Documentation"
Expand Down
7 changes: 6 additions & 1 deletion messages/ja/auth.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{
"form": {
"title": "ログインパネル",
"description": "API キーを使用して統一管理コンソールにアクセスします"
"description": "API キーを使用して統一管理コンソールにアクセスします",
"showPassword": "パスワードを表示",
"hidePassword": "パスワードを非表示"
},
"login": {
"title": "ログイン",
Expand All @@ -20,6 +22,9 @@
"placeholders": {
"apiKeyExample": "例: sk-xxxxxxxx"
},
"brand": {
"tagline": "統合API管理コンソール"
},
"actions": {
"enterConsole": "コンソールに入る",
"viewUsageDoc": "使用方法を見る"
Expand Down
7 changes: 6 additions & 1 deletion messages/ru/auth.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{
"form": {
"title": "Панель входа",
"description": "Введите ваш API ключ для доступа к данным"
"description": "Введите ваш API ключ для доступа к данным",
"showPassword": "Показать пароль",
"hidePassword": "Скрыть пароль"
},
"login": {
"title": "Вход",
Expand All @@ -20,6 +22,9 @@
"placeholders": {
"apiKeyExample": "например sk-xxxxxxxx"
},
"brand": {
"tagline": "Единая консоль управления API"
},
"actions": {
"enterConsole": "Перейти в консоль",
"viewUsageDoc": "Просмотреть документацию"
Expand Down
7 changes: 6 additions & 1 deletion messages/zh-CN/auth.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@
"placeholders": {
"apiKeyExample": "例如 sk-xxxxxxxx"
},
"brand": {
"tagline": "统一 API 管理控制台"
},
"actions": {
"enterConsole": "进入控制台",
"viewUsageDoc": "查看使用文档"
Expand All @@ -41,6 +44,8 @@
},
"form": {
"title": "登录面板",
"description": "使用您的 API Key 进入统一控制台"
"description": "使用您的 API Key 进入统一控制台",
"showPassword": "显示密码",
"hidePassword": "隐藏密码"
}
}
7 changes: 6 additions & 1 deletion messages/zh-TW/auth.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{
"form": {
"title": "登錄面板",
"description": "使用您的 API Key 進入統一控制台"
"description": "使用您的 API Key 進入統一控制台",
"showPassword": "顯示密碼",
"hidePassword": "隱藏密碼"
},
"login": {
"title": "登錄",
Expand All @@ -20,6 +22,9 @@
"placeholders": {
"apiKeyExample": "例如 sk-xxxxxxxx"
},
"brand": {
"tagline": "統一 API 管理控制台"
},
"actions": {
"enterConsole": "進入控制台",
"viewUsageDoc": "查看使用文檔"
Expand Down
Loading