lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
145 commits 1 branch 0 tags 882 KiB
Commit graph

4 commits

Author SHA1 Message Date
Johan Lundberg
91a2277664
fix(security): store only a hash of magic-link tokens 
Magic-link tokens were persisted in plaintext, so a database read disclosed
usable login/invite tokens. The service now hashes tokens (HMAC-SHA256 when a
pepper is configured, else SHA-256 of the high-entropy token) and persists
only the hash; the raw token is exposed solely in the registration URL and is
re-attached to objects returned to callers.

Refs: porchlight-42h

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-04 10:36:18 +02:00
Johan Lundberg
1c21d6d199
test: add failing test for registering pre-existing users 
Part of CLI module work (fastapi-oidc-op-9lb.1). The test verifies that
/register/{token} handles users already created by initial-admin.
 2026-02-17 14:09:00 +01:00
Johan Lundberg
7cb1adbd06
update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
Johan Lundberg
e15dcc4745
feat: add authentication routes with session login, WebAuthn, and credential management 
Implement Phase 4 auth routes: password login/logout, WebAuthn
registration and authentication, magic link registration, and
credential management pages with HTMX. Includes session middleware,
Jinja2 templates, vendored HTMX, and last-credential guardrails.

120 tests passing.
 2026-02-16 11:39:50 +01:00