Nautilus/ledgerdock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden frontend auth token handling in runtime memory

Browse Source
This commit is contained in:
Beda Schmid
2026-03-01 21:29:11 -03:00
parent 8eaaa01186
commit a9333ec973
4 changed files with 16 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/frontend-design-foundation.md
View File

@@ -52,7 +52,8 @@ Do not hardcode new palette or spacing values in component styles when a token a
## Authenticated Media Delivery
- Document previews and thumbnails must load through authenticated fetch flows in `frontend/src/lib/api.ts`, then render via temporary object URLs.
- Runtime auth uses server-issued per-user session tokens persisted with `setRuntimeApiToken` and read by `getRuntimeApiToken`.
- Runtime auth keeps server-issued per-user session tokens only in active-tab memory via `setRuntimeApiToken` and `getRuntimeApiToken`.
- Users must sign in again after a full browser reload, new tab launch, or browser restart because tokens are not persisted in browser storage.
- Static build-time token distribution is not supported.
- Direct `window.open` calls for protected media endpoints are not allowed because browser navigation requests do not include the API token header.
- Download actions for original files and markdown exports must use authenticated blob fetches plus controlled browser download triggers.

5
doc/operations-and-configuration.md
View File

@@ -56,7 +56,7 @@ docker compose logs -f
- `AUTH_LOGIN_FAILURE_WINDOW_SECONDS`
- `AUTH_LOGIN_LOCKOUT_BASE_SECONDS`
- `AUTH_LOGIN_LOCKOUT_MAX_SECONDS`
- Frontend signs in through `/api/v1/auth/login` and stores issued session token in browser session storage.
- Frontend signs in through `/api/v1/auth/login` and keeps issued session token only in active runtime memory.
## DEV And LIVE Configuration Matrix
@@ -119,7 +119,8 @@ Recommended LIVE pattern:
## Frontend Runtime
- Frontend no longer consumes `VITE_API_TOKEN`.
- Session token storage key is `dcm.access_token` in browser session storage.
- Session tokens are not persisted to browser storage.
- Users must sign in again after full page reload, opening a new tab, or browser restart.
- Protected media and file download flows still use authenticated fetch plus blob/object URL handling.
## Validation Checklist