yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
12 Commits 1 Branch 0 Tags
14c667bd5e38e1ccb786baddbfa4f415918443fd
Commit Graph

4 Commits

Author SHA1 Message Date
Yusuf Suleman
79d2c3b4b6 fix: remove all default credentials (#2) 
- Gateway: admin user seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars
  (no more hardcoded admin/admin). Warns if not set.
- Trips: USERNAME/PASSWORD env vars no longer default to admin/admin.
  Warns if not set.
- Fitness: user seed requires USER{n}_USERNAME/PASSWORD env vars.
  No more "changeme" fallback. Skips seed if not set.
- /api/auth/register remains disabled (403)

Closes #2
 2026-03-29 09:10:44 -05:00
Yusuf Suleman
fb79f15f75 fix(fitness): eliminate cross-user data access (#4) 
- All user_id query params now enforced to authenticated user's own ID
- /api/users restricted to return only current user (no user enumeration)
- Wildcard CORS headers removed (service is internal-only via gateway)
- Covers: entries, totals, goals, templates, favorites, goal setting

Closes #4
 2026-03-29 08:53:04 -05:00
Yusuf Suleman
6bd23e7e8b fix: security hardening across platform 
- Disable open /api/auth/register endpoint (gateway)
- Require gateway session auth on Immich and Karakeep hooks proxies
- Replace SHA-256 with bcrypt in fitness service (auth + seed)
- Remove hardcoded Telegram user IDs from fitness seed
- Add Secure flag to session cookie
- Add domain allowlist and content-type validation to image proxy
- Strengthen .gitignore (env variants, runtime data, test artifacts)
 2026-03-29 08:25:50 -05:00
Yusuf Suleman
d3e250e361 Initial commit: Second Brain Platform 
Complete platform with unified design system and real API integration.

Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings
Infrastructure: SvelteKit + Python gateway + Docker Compose
 2026-03-28 23:20:40 -05:00