Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-06-17 03:32:32 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
screentinker/server
History
ScreenTinker f4c5865013
Some checks are pending
CI / Unit tests (node --test) (push) Waiting to run
Details
CI / OpenAPI spec lint (push) Waiting to run
Details
CI / Android unit tests (Kotlin schedule evaluator vectors) (push) Waiting to run
Details
CI / Boot smoke + version check (push) Waiting to run
Details
fix(server): strip totp_secret_enc/totp_last_step from login responses (#100) 
Review caught the encrypted TOTP secret riding in the login/verify response body:
issueSession receives a SELECT * user row and only destructured out password_hash, so
totp_secret_enc (and the internal replay counter totp_last_step) leaked. Encrypted, so
not catastrophic, but it regresses the API work's "secrets never in responses" rule.
Strip both in issueSession (covers /login and /totp/verify); add an assertion that a
verify response carries no totp_secret_enc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-13 20:48:55 -05:00
..
config feat(api): token management endpoints + Settings UI 2026-06-12 18:45:09 -05:00
db chore(server): TOTP schema + otplib dep (#100) 2026-06-13 20:48:55 -05:00
lib feat(server): TOTP primitives - encrypted secret, hashed recovery codes, verify lockout (#100) 2026-06-13 20:48:55 -05:00
middleware feat(server): TOTP MFA login flow + enrollment/verify endpoints (#100) 2026-06-13 20:48:55 -05:00
player feat(scheduling): per-item schedule blocks (#74 dayparting, #75 auto-expire) 2026-06-11 15:46:41 -05:00
routes fix(server): strip totp_secret_enc/totp_last_step from login responses (#100) 2026-06-13 20:48:55 -05:00
scripts feat(scheduling): per-item schedule blocks (#74 dayparting, #75 auto-expire) 2026-06-11 15:46:41 -05:00
services feat(scheduling): per-item schedule blocks (#74 dayparting, #75 auto-expire) 2026-06-11 15:46:41 -05:00
test fix(server): strip totp_secret_enc/totp_last_step from login responses (#100) 2026-06-13 20:48:55 -05:00
ws feat(scheduling): per-item schedule blocks (#74 dayparting, #75 auto-expire) 2026-06-11 15:46:41 -05:00
.gitignore feat(email): Microsoft Graph send + alert spam protection + preferences UI 2026-05-12 18:16:40 -05:00
config.js chore(version): single-source VERSION, env-configurable data paths, bump tooling 2026-06-10 12:56:03 -05:00
package-lock.json chore(server): TOTP schema + otplib dep (#100) 2026-06-13 20:48:55 -05:00
package.json chore(server): TOTP schema + otplib dep (#100) 2026-06-13 20:48:55 -05:00
server.js fix(server): rate-limit per endpoint, not the stripped req.path (#100) 2026-06-13 20:48:55 -05:00
version.js chore(version): single-source VERSION, env-configurable data paths, bump tooling 2026-06-10 12:56:03 -05:00