Harden frontend auth token handling in runtime memory
This commit is contained in:
@@ -56,7 +56,7 @@ docker compose logs -f
|
||||
- `AUTH_LOGIN_FAILURE_WINDOW_SECONDS`
|
||||
- `AUTH_LOGIN_LOCKOUT_BASE_SECONDS`
|
||||
- `AUTH_LOGIN_LOCKOUT_MAX_SECONDS`
|
||||
- Frontend signs in through `/api/v1/auth/login` and stores issued session token in browser session storage.
|
||||
- Frontend signs in through `/api/v1/auth/login` and keeps issued session token only in active runtime memory.
|
||||
|
||||
## DEV And LIVE Configuration Matrix
|
||||
|
||||
@@ -119,7 +119,8 @@ Recommended LIVE pattern:
|
||||
## Frontend Runtime
|
||||
|
||||
- Frontend no longer consumes `VITE_API_TOKEN`.
|
||||
- Session token storage key is `dcm.access_token` in browser session storage.
|
||||
- Session tokens are not persisted to browser storage.
|
||||
- Users must sign in again after full page reload, opening a new tab, or browser restart.
|
||||
- Protected media and file download flows still use authenticated fetch plus blob/object URL handling.
|
||||
|
||||
## Validation Checklist
|
||||
|
||||
Reference in New Issue
Block a user