From bfe02727bf06bde0e6f7a5c7e9391833b6bffa9d Mon Sep 17 00:00:00 2001 From: Scott Idem Date: Fri, 10 Apr 2026 11:53:00 -0400 Subject: [PATCH] docs(passcode): note backend fixes implemented and tested; phase 2 pending --- documentation/PROJECT__AE_Site_Passcode_Security.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/documentation/PROJECT__AE_Site_Passcode_Security.md b/documentation/PROJECT__AE_Site_Passcode_Security.md index 0bfddc8f..b6dea669 100644 --- a/documentation/PROJECT__AE_Site_Passcode_Security.md +++ b/documentation/PROJECT__AE_Site_Passcode_Security.md @@ -81,6 +81,10 @@ This gives session expiry without a network call on every page load. ## Backend Changes Required +**Note:** The backend fixes described below have been implemented and tested in the `aether_api_fastapi` repository (the `/authenticate_passcode` endpoint now uses explicit role priority, returns a full passcode JWT with `auth_type: 'passcode'`, applies per-role TTLs, and validates passcode length). Frontend changes can proceed once the backend deployment with these fixes is available. + +**Phase 2 status:** Not started — removing `access_code_kv_json` from the public site model remains pending. + **File:** `aether_api_fastapi/app/routers/api.py` The `/authenticate_passcode` endpoint exists and is structurally correct but has four issues that must be fixed before the frontend migrates to using it.