mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-18 17:05:48 +00:00
* fix(sync): prevent magic link prefetch failures and improve auth resilience - Make /magic-login prefetch-immune: GET now renders a confirmation page instead of consuming the single-use token. A "Log In" button triggers POST /api/login/magic-link/verify which does the actual verification. This prevents email client link prefetchers (Outlook SafeLinks, Gmail) from consuming magic link tokens before users click them. - Increase rate limits on auth endpoints for shared-IP scenarios (e.g. university NAT). Global: 100→500, register: 10→50, login: 5→30, verify: 10→50, magic-login page: 10→50. - Add trustProxy to Fastify so req.ip uses X-Forwarded-For behind reverse proxies instead of collapsing all clients to one rate bucket. - Clear stale SuperSync auth tokens after 3 consecutive AuthFailSPErrors instead of never clearing them. Prevents persistent failure loops where an invalid token keeps retrying indefinitely until app reinstall. - Improve registration-to-login UX messaging to emphasize email verification is required before login links will work. https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY * chore: update package-lock.json from npm install https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY * fix(sync): address review feedback for auth resilience - Remove conflicting style.css link from magic-login page - Change trustProxy from true to 1 (trust single hop only) - Increase /login/magic-link rate limit from 30 to 50 per 15min - Delete dead magic-login-redirect.js (replaced by magic-login-confirm.js) - Reset auth failure counter on non-auth errors (truly consecutive) - Add test for counter reset on non-auth error between auth errors https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY * fix(sync): increase passkey rate limits and fix CSP inline script violations - Increase passkey endpoint rate limits to match magic-link equivalents (50/15min) - Extract inline scripts from /reset-password and /recover-passkey pages into external JS files to comply with CSP scriptSrc: ["'self'"] - Remove dead safeJsonForScript helper (no longer needed) - Increase /recover-passkey page rate limit to 50/15min for consistency https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY * fix(sync): update security tests for escapeHtml and fix recover/passkey rate limit - Update server-security.spec.ts: tests now check for escapeHtml output (<, ") instead of safeJsonForScript output (\u003c), matching the new data-token attribute approach - Increase /recover/passkey rate limit from 30 to 50 per 15min to match /login/magic-link (both send email with a secret link) https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY * fix(sync): reset auth failure counter after successful download Move the counter reset from the final InSync return to right after downloadRemoteOps() succeeds. This ensures early returns (cancelled, LWW pending, payload rejected) also break the consecutive-failure chain, since a successful download confirms auth is working. https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| integration | ||
| api.routes.spec.ts | ||
| auth-flows.spec.ts | ||
| cleanup.spec.ts | ||
| config.spec.ts | ||
| conflict-detection.spec.ts | ||
| decompress-body.spec.ts | ||
| device.service.spec.ts | ||
| duplicate-operation-precheck.spec.ts | ||
| email.spec.ts | ||
| gap-detection.spec.ts | ||
| magic-link-registration.spec.ts | ||
| middleware.spec.ts | ||
| operation-download.service.spec.ts | ||
| passkey.spec.ts | ||
| password-reset-api.spec.ts | ||
| password-reset.spec.ts | ||
| rate-limit.service.spec.ts | ||
| registration-api.spec.ts | ||
| replace-token-expiry.spec.ts | ||
| request-deduplication.service.spec.ts | ||
| retention-config.spec.ts | ||
| security-fixes.spec.ts | ||
| server-security.spec.ts | ||
| setup.ts | ||
| snapshot-skip-optimization.spec.ts | ||
| snapshot.service.spec.ts | ||
| storage-quota-cleanup.spec.ts | ||
| storage-quota.service.spec.ts | ||
| sync-fixes.spec.ts | ||
| sync-operations.spec.ts | ||
| sync-types.spec.ts | ||
| sync.routes.spec.ts | ||
| sync.service.spec.ts | ||
| sync.service.test-state.ts | ||
| time-tracking-operations.spec.ts | ||
| validation.service.spec.ts | ||
| websocket-connection.service.spec.ts | ||
| websocket.routes.spec.ts | ||