Conversation
- Enforce explicit CORS origins when authentication is enabled; wildcard '*' is rejected. - Require authentication for non-loopback address binding unless explicitly opted out. - Move OpenAPI schema behind authentication. - Change secrets encryption key derivation to use HKDF-SHA256. - Introduce cookie-based authentication with HttpOnly and SameSite attributes. - Implement login rate limiting to 5 requests per 60 seconds per client IP. - Update request logging to exclude query strings for security. - Add new environment variable `WF_AUTH_REQUIRED` to control authentication requirements. - Migrate existing secrets to the new encryption scheme automatically. - Update frontend to support cookie-based authentication and adjust API calls accordingly. - Add tests to verify new authentication and session management features.
…670) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a "Portfolio" filter to the securities list with "Current" and "Past" options, defaulting to "Current" so only actively held assets are shown.
Ensure useChatModel resolves to a model visible in ModelPicker by falling back to the first favorite when the default isn't in favorites. Strip trailing /v1 from Ollama provider URL before passing to rig client to prevent 405 errors from double-pathed requests.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5636b70119
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| // Rate limit login: 5 requests per 60 seconds per peer IP | ||
| let login_governor = GovernorConfigBuilder::default() | ||
| .per_second(12) // replenish 1 token every 12s → 5 per 60s |
There was a problem hiding this comment.
The current governor config does not enforce the intended 5 requests / 60s limit: per_second(12) allows roughly 12 requests per second (plus the burst), so password attempts are effectively almost unthrottled. This materially weakens the new brute-force protection on /auth/login, especially on internet-facing deployments where this change is meant to harden authentication.
Useful? React with 👍 / 👎.
| WF_AUTH_TOKEN_TTL_MINUTES: "${WF_AUTH_TOKEN_TTL_MINUTES:-60}" | ||
| WF_CORS_ALLOW_ORIGINS: "${WF_CORS_ALLOW_ORIGINS:-*}" | ||
| # Required when auth is enabled — set to your app's origin, e.g. https://wealthfolio.example.com | ||
| WF_CORS_ALLOW_ORIGINS: "${WF_CORS_ALLOW_ORIGINS}" |
There was a problem hiding this comment.
Using ${WF_CORS_ALLOW_ORIGINS} without a default causes Docker Compose to pass an empty string when the variable is unset; in that case the server builds a CORS origin list containing "", and app_router later calls .parse().unwrap() on it, which panics at startup. This breaks the documented default behavior (*) and can crash even non-auth deployments unless operators manually set the variable every time.
Useful? React with 👍 / 👎.
…ind sticky composer and mobile nav
1 participant
Description
This pull request implements major security hardening for the web server’s authentication and session management, introduces cookie-based authentication, and updates both backend and frontend to support these changes. It also includes breaking changes to CORS and server startup behavior, several frontend bug fixes, and dependency updates. The most important changes are grouped below.
Security and Authentication Hardening:
*) is no longer allowed when authentication is enabled;WF_CORS_ALLOW_ORIGINSmust be set to an explicit origin. The server will refuse to start on non-loopback addresses without authentication, unlessWF_AUTH_REQUIRED=falseis set. These changes are documented inRELEASE_NOTES.mdandREADME.md. [1] [2] [3]HttpOnly; SameSite=Strictsession cookie is set, enabling secure session persistence and removing the need for localStorage token storage. New endpoints/api/v1/auth/logoutand/api/v1/auth/meare added.tower-governor.WF_SECRET_KEYis now split into two derived keys via HKDF-SHA256, with automatic migration for existing secrets./api/v1/openapi.json.Frontend Adaptation for Cookie-based Auth:
credentials: "same-origin"to ensure cookies are sent with requests. [1] [2] [3] [4] [5] [6] [7]withCredentials: true), and query-param token passing is removed. [1] [2]AuthProvider) is updated to detect and manage cookie-based sessions, including proper logout and session expiration handling. [1] [2] [3]Deprecations and Breaking Changes:
Frontend Bug Fixes and Improvements:
Dependency and Integration Updates:
tower-governorfor rate limiting,hkdfandsha2for key derivation.These changes significantly improve the security posture of the application, modernize authentication flows, and ensure the frontend and backend remain in sync regarding authentication state and session management.