platform

yusiboyz/platform

Fork 0

Commit Graph

Author	SHA1	Message	Date
Yusuf Suleman	d700ba7569	fix(trips): enforce password protection on shared trips (#3 ) - handle_share_api now checks X-Share-Password header against bcrypt hash before returning trip data. Returns 401 with {protected: true} if password required but not provided/incorrect - share_password now stored as bcrypt hash, not plaintext - All plaintext password logging removed from handle_share_verify - handle_share_verify uses bcrypt.checkpw instead of string equality - Migration invalidates existing plaintext share passwords (< 50 chars) - Removed dead hash_password function (used hashlib.sha256) - Added bcrypt to trips Dockerfile Closes #3	2026-03-29 08:50:45 -05:00
Yusuf Suleman	6bd23e7e8b	fix: security hardening across platform - Disable open /api/auth/register endpoint (gateway) - Require gateway session auth on Immich and Karakeep hooks proxies - Replace SHA-256 with bcrypt in fitness service (auth + seed) - Remove hardcoded Telegram user IDs from fitness seed - Add Secure flag to session cookie - Add domain allowlist and content-type validation to image proxy - Strengthen .gitignore (env variants, runtime data, test artifacts)	2026-03-29 08:25:50 -05:00
Yusuf Suleman	d3e250e361	Initial commit: Second Brain Platform Complete platform with unified design system and real API integration. Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings Infrastructure: SvelteKit + Python gateway + Docker Compose	2026-03-28 23:20:40 -05:00

Author

SHA1

Message

Date

Yusuf Suleman

d700ba7569

fix(trips): enforce password protection on shared trips (#3 )

- handle_share_api now checks X-Share-Password header against bcrypt hash
  before returning trip data. Returns 401 with {protected: true} if password
  required but not provided/incorrect
- share_password now stored as bcrypt hash, not plaintext
- All plaintext password logging removed from handle_share_verify
- handle_share_verify uses bcrypt.checkpw instead of string equality
- Migration invalidates existing plaintext share passwords (< 50 chars)
- Removed dead hash_password function (used hashlib.sha256)
- Added bcrypt to trips Dockerfile

Closes #3

2026-03-29 08:50:45 -05:00

Yusuf Suleman

6bd23e7e8b

fix: security hardening across platform

- Disable open /api/auth/register endpoint (gateway)
- Require gateway session auth on Immich and Karakeep hooks proxies
- Replace SHA-256 with bcrypt in fitness service (auth + seed)
- Remove hardcoded Telegram user IDs from fitness seed
- Add Secure flag to session cookie
- Add domain allowlist and content-type validation to image proxy
- Strengthen .gitignore (env variants, runtime data, test artifacts)

2026-03-29 08:25:50 -05:00

Yusuf Suleman

d3e250e361

Initial commit: Second Brain Platform

Complete platform with unified design system and real API integration.

Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings
Infrastructure: SvelteKit + Python gateway + Docker Compose

2026-03-28 23:20:40 -05:00

3 Commits