john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/public/js
History
TheFlow c6b792c542 security: harden admin panel before production deployment 
Critical Security Fixes:
1. Remove default credentials from login page (inst_012 compliance)
2. Create auth-check.js utility for client-side authentication
3. Add authentication redirects to all admin pages

Authentication Protection:
- All admin pages now check for valid JWT token on load
- Redirect to login if unauthenticated or token expired
- Token expiration validation (client-side check)
- Role verification (admin/moderator required)
- Periodic token validity checks (every 5 minutes)

Files Protected:
 /admin/dashboard.html
 /admin/rule-manager.html
 /admin/project-manager.html
 /admin/claude-md-migrator.html
 /admin/blog-curation.html
 /admin/audit-analytics.html
(login.html excluded - entry point)

Authentication Flow:
1. User accesses admin page
2. auth-check.js runs immediately
3. Check localStorage for admin_token
4. Parse JWT to verify expiration and role
5. If invalid: redirect to /admin/login.html with reason
6. If valid: allow page to load normally

API Security (already in place):
- All /api/admin/* endpoints require JWT
- authenticateToken middleware validates tokens
- requireRole middleware enforces admin/moderator access

Addresses security concerns:
- inst_012: No internal/confidential data exposure
- inst_013: No sensitive runtime data in public endpoints
- inst_014: No API surface enumeration
- inst_015: No internal documentation exposure

Remaining Recommendations:
- Change default admin password on production (MANUAL STEP)
- Consider IP whitelist for /admin/* (optional)
- Add rate limiting to /api/auth/login (future enhancement)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-11 17:26:50 +13:00
..
admin security: harden admin panel before production deployment 2025-10-11 17:26:50 +13:00
components feat: implement Priority 1 - Public Blog System with governance enhancements 2025-10-11 14:47:01 +13:00
demos feat(infra): semantic versioning and systemd service implementation 2025-10-09 09:16:22 +13:00
utils feat: add multi-currency support and privacy policy to Koha system 2025-10-08 15:17:23 +13:00
blog-post.js feat: implement Priority 1 - Public Blog System with governance enhancements 2025-10-11 14:47:01 +13:00
blog.js feat: implement Priority 1 - Public Blog System with governance enhancements 2025-10-11 14:47:01 +13:00
docs-app.js feat: implement documentation reorganization with archives 2025-10-11 01:26:14 +13:00
docs-viewer-app.js feat: fix CSP violations & implement three audience paths 2025-10-07 12:21:00 +13:00
koha-transparency.js feat: complete Priority 2 - Enhanced Koha Transparency Dashboard 2025-10-11 17:14:34 +13:00