lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
159 commits 1 branch 0 tags 882 KiB
Commit graph

7 commits

Author SHA1 Message Date
Johan Lundberg
c175633980
fix(security): POST WebAuthn login-begin; render JS errors as text 
Two WebAuthn client/route hardening fixes:

- GET /login/webauthn/begin wrote a challenge to the session on a safe method
  (login-flow DoS / CSRF surface). Make it POST with CSRF, matching the
  registration-begin endpoint; update webauthn.js and tests accordingly.

- webauthn.js rendered dynamic error text (err.message, server error fields)
  via innerHTML — an XSS-prone sink. Add showAlert() that sets textContent;
  route all dynamic error messages through it. The trusted server-rendered
  credentials partial is still injected as markup.

Refs: porchlight-cog, porchlight-t7y

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-05 14:04:24 +02:00
Johan Lundberg
1054feb534
fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
Johan Lundberg
f648422227
test: update all tests to include CSRF tokens 2026-02-19 14:19:47 +01:00
Johan Lundberg
cd9469342b
refactor: fix lint warnings in webauthn login tests 2026-02-17 13:46:02 +01:00
Johan Lundberg
32567b5484
feat: rewrite WebAuthn login routes for usernameless discoverable credential flow 2026-02-17 13:38:17 +01:00
Johan Lundberg
7cb1adbd06
update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
Johan Lundberg
e15dcc4745
feat: add authentication routes with session login, WebAuthn, and credential management 
Implement Phase 4 auth routes: password login/logout, WebAuthn
registration and authentication, magic link registration, and
credential management pages with HTMX. Includes session middleware,
Jinja2 templates, vendored HTMX, and last-credential guardrails.

120 tests passing.
 2026-02-16 11:39:50 +01:00