docs: audit and archive completed Journals and Badges projects
This commit is contained in:
Scott Idem
@@ -1,8 +1,14 @@
|
||||
# PROJECT: Site Passcode Security — API-Verified Auth
|
||||
|
||||
**Last Updated:** 2026-04-10
|
||||
**Status:** Backend work in progress — frontend pending backend completion
|
||||
**Priority:** High — passcodes for trusted/administrator access currently in localStorage plaintext
|
||||
**Last Updated:** 2026-06-12
|
||||
**Last Verified Against Frontend Source:** 2026-06-12
|
||||
**Status:** Active security gap — frontend migration not started
|
||||
**Priority:** High — passcodes for trusted/administrator access currently remain in localStorage plaintext
|
||||
|
||||
The frontend still caches `access_code_kv_json`, compares passcodes locally, and can log the
|
||||
full passcode map when verbose logging is enabled. No frontend call to `/authenticate_passcode`
|
||||
or passcode-JWT expiry restoration exists. Backend implementation is documented as completed,
|
||||
but deployment must be confirmed in the backend repository/environment before frontend cutover.
|
||||
|
||||
---
|
||||
|
||||
@@ -81,7 +87,11 @@ This gives session expiry without a network call on every page load.
|
||||
|
||||
## Backend Changes Required
|
||||
|
||||
**Note:** The backend fixes described below have been implemented and tested in the `aether_api_fastapi` repository (the `/authenticate_passcode` endpoint now uses explicit role priority, returns a full passcode JWT with `auth_type: 'passcode'`, applies per-role TTLs, and validates passcode length). Frontend changes can proceed once the backend deployment with these fixes is available.
|
||||
**Backend status note:** The fixes below were reported implemented and tested in the
|
||||
`aether_api_fastapi` repository. This frontend-only audit did not verify the backend source or
|
||||
deployment. Confirm that the deployed `/authenticate_passcode` uses explicit role priority,
|
||||
returns a complete passcode JWT with `auth_type: 'passcode'`, applies per-role TTLs, and validates
|
||||
passcode length before starting frontend cutover.
|
||||
|
||||
### Backend Agent Follow-Up
|
||||
|
||||
@@ -316,6 +326,19 @@ async def authenticate_passcode(
|
||||
|
||||
---
|
||||
|
||||
## Frontend Implementation Status
|
||||
|
||||
Verified 2026-06-12:
|
||||
|
||||
- [ ] Confirm the corrected backend endpoint is deployed and reachable.
|
||||
- [ ] Replace local passcode comparison with API verification and JWT storage.
|
||||
- [ ] Add pending/error UI for passcode authentication.
|
||||
- [ ] Stop copying `access_code_kv_json` into frontend auth state.
|
||||
- [ ] Validate passcode JWT expiry during session restoration.
|
||||
- [ ] Remove `site_access_code_kv` from auth store defaults and types.
|
||||
- [ ] Remove any logging of passcode maps or entered passcodes.
|
||||
- [ ] Backend Phase 2: remove `access_code_kv_json` from the public bootstrap model.
|
||||
|
||||
## Frontend Changes Required
|
||||
|
||||
**These depend on the backend fixes above being deployed first.**
|
||||
|
||||
Reference in New Issue
Block a user