john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/public
History
TheFlow 8538dc5b66 security: harden admin panel before production deployment 
Critical Security Fixes:
1. Remove default credentials from login page (inst_012 compliance)
2. Create auth-check.js utility for client-side authentication
3. Add authentication redirects to all admin pages

Authentication Protection:
- All admin pages now check for valid JWT token on load
- Redirect to login if unauthenticated or token expired
- Token expiration validation (client-side check)
- Role verification (admin/moderator required)
- Periodic token validity checks (every 5 minutes)

Files Protected:
 /admin/dashboard.html
 /admin/rule-manager.html
 /admin/project-manager.html
 /admin/claude-md-migrator.html
 /admin/blog-curation.html
 /admin/audit-analytics.html
(login.html excluded - entry point)

Authentication Flow:
1. User accesses admin page
2. auth-check.js runs immediately
3. Check localStorage for admin_token
4. Parse JWT to verify expiration and role
5. If invalid: redirect to /admin/login.html with reason
6. If valid: allow page to load normally

API Security (already in place):
- All /api/admin/* endpoints require JWT
- authenticateToken middleware validates tokens
- requireRole middleware enforces admin/moderator access

Addresses security concerns:
- inst_012: No internal/confidential data exposure
- inst_013: No sensitive runtime data in public endpoints
- inst_014: No API surface enumeration
- inst_015: No internal documentation exposure

Remaining Recommendations:
- Change default admin password on production (MANUAL STEP)
- Consider IP whitelist for /admin/* (optional)
- Add rate limiting to /api/auth/login (future enhancement)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-11 17:26:50 +13:00
..
.well-known security: comprehensive security audit and hardening 2025-10-10 05:34:40 +13:00
about feat: complete Phase 2 - accessibility, performance, mobile polish 2025-10-08 13:29:26 +13:00
admin security: harden admin panel before production deployment 2025-10-11 17:26:50 +13:00
css fix(ui): rebuild Tailwind CSS with tooltip classes and update cache to v1.0.4 2025-10-09 09:53:07 +13:00
demos feat: comprehensive documentation improvements and GitHub integration 2025-10-09 14:33:14 +13:00
images feat: complete Phase 2 - accessibility, performance, mobile polish 2025-10-08 13:29:26 +13:00
js security: harden admin panel before production deployment 2025-10-11 17:26:50 +13:00
koha feat: complete Priority 2 - Enhanced Koha Transparency Dashboard 2025-10-11 17:14:34 +13:00
about.html fix: improve About page presentation and resolve search endpoint tests 2025-10-10 11:39:14 +13:00
advocate.html feat(infra): semantic versioning and systemd service implementation 2025-10-09 09:16:22 +13:00
api-reference.html feat: change license from MIT to Apache License 2.0 2025-10-07 23:43:20 +13:00
blog-post.html feat: implement Priority 1 - Public Blog System with governance enhancements 2025-10-11 14:47:01 +13:00
blog.html feat: implement Priority 1 - Public Blog System with governance enhancements 2025-10-11 14:47:01 +13:00
case-submission.html feat: complete Phase 2 - accessibility, performance, mobile polish 2025-10-08 13:29:26 +13:00
check-version.html feat: fix documentation system - cards, PDFs, TOC, and navigation 2025-10-07 22:51:55 +13:00
docs-viewer.html feat: change license from MIT to Apache License 2.0 2025-10-07 23:43:20 +13:00
docs.html feat: comprehensive documentation improvements and GitHub integration 2025-10-09 14:33:14 +13:00
favicon.ico feat: implement Rule Manager and Project Manager admin systems 2025-10-11 17:16:51 +13:00
favicon.svg feat: comprehensive documentation improvements and GitHub integration 2025-10-09 14:33:14 +13:00
implementer.html feat(infra): semantic versioning and systemd service implementation 2025-10-09 09:16:22 +13:00
index.html feat: complete Priority 2 - Enhanced Koha Transparency Dashboard 2025-10-11 17:14:34 +13:00
koha.html feat: add Koha pre-production deployment configuration 2025-10-08 21:00:54 +13:00
leader.html feat: initial commit with security hardening and framework documentation 2025-10-09 12:05:07 +13:00
media-inquiry.html feat: complete Phase 2 - accessibility, performance, mobile polish 2025-10-08 13:29:26 +13:00
privacy.html feat: add multi-currency support and privacy policy to Koha system 2025-10-08 15:17:23 +13:00
researcher.html feat(infra): semantic versioning and systemd service implementation 2025-10-09 09:16:22 +13:00