ScreenTinker
afbe113acf
Security audit remediation: auth, IDOR, XSS, hardening
...
- Device WebSocket authentication: devices get a device_token on
registration, must present it on reconnect. All WS events require
prior auth. Timing-safe token comparison.
- IDOR fixes: ownership checks on schedules (device, week), layouts
(all CRUD, zones, duplicate, device assign), video-walls (content,
device-config).
- XSS prevention: shared esc() helper in utils.js, fixed 13 innerHTML
injection points across 9 frontend files.
- OAuth hardening: no longer silently overwrites auth_provider on
accounts with local passwords (returns 409).
- JWT pinned to HS256 for sign and verify.
- Password policy: change endpoint now requires 8 chars (was 6).
- HSTS header enabled (max-age 1 year, includeSubDomains).
- Stripe webhook rejects unsigned payloads when no secret configured.
- Screenshot size validation (max 2MB base64).
- Rate limiting on exports, imports, content operations.
- Content file serving checks playlist_items instead of old assignments.
- Content ownership verified in device-groups assign-content.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 22:48:07 -05:00
