security: httpOnly cookies, rate limiting, nginx headers, SSE sanitization

Auth / token storage: - JWT is now set as an httpOnly Secure SameSite=Lax cookie on login - Add POST /auth/logout endpoint that clears the cookie - get_current_member falls back to rh_token cookie when no Authorization header - WebSocket auth now accepts cookie (rh_token) or optional ?token= query param - Frontend removes all localStorage JWT access; uses credentials:"include" on every fetch so the httpOnly cookie is sent automatically - Replace clearToken() with logout() that calls the server logout endpoint - Non-sensitive rh_session flag in localStorage used only for client-side routing Rate limiting: - Add slowapi>=0.1.9 dependency - /auth/login limited to 10 req/min per IP - /auth/register limited to 5 req/min per IP Nginx security headers: - Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection, Permissions-Policy to all responses SSE error leakage: - songs.py nc-scan/stream no longer leaks str(exc) to clients Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 21:11:53 +02:00
parent 68da26588a
commit c1941ed9ac
14 changed files with 109 additions and 40 deletions
--- a/web/src/pages/BandPage.tsx
+++ b/web/src/pages/BandPage.tsx
@@ -123,11 +123,11 @@ export function BandPage() {
    setScanMsg(null);
    setScanProgress("Starting scan…");

-    const token = localStorage.getItem("rh_token");
-    const url = `/api/v1/bands/${bandId}/nc-scan/stream${token ? `?token=${encodeURIComponent(token)}` : ""}`;
+    const url = `/api/v1/bands/${bandId}/nc-scan/stream`;

    try {
-      const resp = await fetch(url);
+      // credentials: "include" sends the rh_token httpOnly cookie automatically
+      const resp = await fetch(url, { credentials: "include" });
      if (!resp.ok || !resp.body) {
        const text = await resp.text().catch(() => resp.statusText);
        throw new Error(text || `HTTP ${resp.status}`);
--- a/web/src/pages/HomePage.tsx
+++ b/web/src/pages/HomePage.tsx
@@ -2,7 +2,7 @@ import { useState } from "react";
 import { useNavigate } from "react-router-dom";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { listBands, createBand } from "../api/bands";
-import { clearToken } from "../api/client";
+import { logout } from "../api/auth";

 export function HomePage() {
  const navigate = useNavigate();
@@ -29,8 +29,7 @@ export function HomePage() {
  });

  function handleSignOut() {
-    clearToken();
-    navigate("/login");
+    logout();
  }

  const inputStyle: React.CSSProperties = {
--- a/web/src/pages/InvitePage.tsx
+++ b/web/src/pages/InvitePage.tsx
@@ -1,6 +1,6 @@
 import { useEffect, useState } from "react";
 import { useParams, useNavigate } from "react-router-dom";
-import { api } from "../api/client";
+import { api, isLoggedIn } from "../api/client";

 interface InviteInfo {
  id: string;
@@ -19,7 +19,7 @@ export function InvitePage() {
  const [accepting, setAccepting] = useState(false);
  const [done, setDone] = useState(false);

-  const isLoggedIn = !!localStorage.getItem("rh_token");
+  const loggedIn = isLoggedIn();

  useEffect(() => {
    if (!token) return;
@@ -74,7 +74,7 @@ export function InvitePage() {
              {invite.used_at && " · Already used"}
            </p>

-            {isLoggedIn ? (
+            {loggedIn ? (
              <button
                onClick={accept}
                disabled={accepting || !!invite.used_at}