feat(auth): split base sign-in from YouTube scopes for incremental onboarding
Base login now requests only openid/email/profile (non-sensitive), so a new user gets a clean Google consent with no "unverified app" warning and no 7-day refresh token expiry. YouTube read (youtube.readonly) and write (youtube) are granted later by the onboarding wizard via a parameterized /auth/upgrade?access=read|write. Security fixes folded in from the baseline audit: - config: refuse to boot in production (https OAUTH_REDIRECT_URL) with the placeholder/short SECRET_KEY or a missing TOKEN_ENCRYPTION_KEY, closing a session-forgery / admin-impersonation hole. - main: mark the session cookie Secure when served over HTTPS. - me: expose can_read; sync/subscriptions returns a friendly 403 (not a 500) until YouTube read access is granted.
This commit is contained in:
parent
01ebdee8bc
commit
580d7f0e0d
6 changed files with 81 additions and 17 deletions
|
|
@ -9,6 +9,8 @@ POSTGRES_DB=subfeed
|
|||
APP_PORT=8080
|
||||
|
||||
# Session signing key. Generate with: python -c "import secrets;print(secrets.token_urlsafe(48))"
|
||||
# In production (an https OAUTH_REDIRECT_URL) the app refuses to start with this placeholder
|
||||
# or any key shorter than 32 chars — a known signing key would let anyone forge a session.
|
||||
SECRET_KEY=change-me-session-key
|
||||
|
||||
# Fernet key for encrypting stored OAuth refresh tokens. Generate with:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue