Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update passcode security status and add async $effect guard pattern

Browse Source 
- TODO__Agents.md: check off completed passcode JWT migration items;
  document the three remaining cleanup steps (deferred ~a few days)
- PROJECT__AE_Site_Passcode_Security.md: update status to active/cleanup-deferred,
  check off completed implementation checklist items
- GUIDE__SvelteKit2_Svelte5_DexieJS.md: add new section documenting the
  async-function-from-$effect guard-reset infinite loop pattern, with the
  real example from the passcode auth bug (2026-06-18)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-06-18 13:32:50 -04:00
parent d939f3190d
commit 6222f7655d
3 changed files with 94 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
documentation/PROJECT__AE_Site_Passcode_Security.md
View File

@@ -1,9 +1,9 @@
# PROJECT: Site Passcode Security — API-Verified Auth
**Last Updated:** 2026-06-12
**Last Verified Against Frontend Source:** 2026-06-12
**Status:** Active security gap — frontend migration not started
**Priority:** High — passcodes for trusted/administrator access currently remain in localStorage plaintext
**Last Updated:** 2026-06-18
**Last Verified Against Frontend Source:** 2026-06-18
**Status:** API-verified auth active — cleanup deferred
**Priority:** Low — passcodes no longer cached in localStorage; JWT TTL enforced; local fallback retained temporarily
The frontend still caches `access_code_kv_json`, compares passcodes locally, and can log the
full passcode map when verbose logging is enabled. No frontend call to `/authenticate_passcode`
@@ -328,16 +328,16 @@ async def authenticate_passcode(
## Frontend Implementation Status
Verified 2026-06-12:
Updated 2026-06-18:
- [ ] Confirm the corrected backend endpoint is deployed and reachable.
- [ ] Replace local passcode comparison with API verification and JWT storage.
- [ ] Add pending/error UI for passcode authentication.
- [ ] Stop copying `access_code_kv_json` into frontend auth state.
- [ ] Validate passcode JWT expiry during session restoration.
- [ ] Remove `site_access_code_kv` from auth store defaults and types.
- [ ] Remove any logging of passcode maps or entered passcodes.
- [ ] Backend Phase 2: remove `access_code_kv_json` from the public bootstrap model.
- [x] Confirm the corrected backend endpoint is deployed and reachable. (Moved to `/v3/action/auth/authenticate_passcode`)
- [x] Replace local passcode comparison with API verification and JWT storage. (Debounce + Enter trigger; local comparison kept as silent fallback)
- [x] Add pending/error UI for passcode authentication. (Spinner + inline error message)
- [x] Validate passcode JWT expiry during session restoration. (`+layout.ts` — passcode JWTs only)
- [ ] Stop copying `access_code_kv_json` into frontend auth state. (**Deferred** — keeping fallback ~a few days)
- [ ] Remove `site_access_code_kv` from auth store defaults and types. (**Deferred** — same cleanup pass)
- [ ] Remove passcode-map log from `handle_check_passcode_local()`. (**Deferred** — same cleanup pass; only fires at `log_lvl > 1`)
- [ ] Backend Phase 2: remove `access_code_kv_json` from the public bootstrap model. (**Deferred** — separate backend task)
## Frontend Changes Required