siftlode/frontend
npeter83 07dba4da9e fix(auth): address SA4 review findings (WS epoch check, commit ordering, verify guard)
Adversarial re-review of the session-epoch work surfaced:
- WS auth (messages_ws) skipped the epoch check, so a revoked-but-unexpired cookie
  could still open the live push channel after a reset/logout-others. Now mirrors
  current_user: loads the user once, rejects a stale-epoch cookie before connecting.
- set_password + logout_others re-stamped the cookie BEFORE db.commit(); a failed
  commit would strand the current session at a newer epoch than the DB and wrongly
  401 it. Commit first, then re-stamp.
- Welcome verify effect could double-POST the single-use token (StrictMode/remount)
  and flip the banner to a false 'invalid'. Fire-once useRef guard.

Left as-is (low value, documented): the Plex image proxy authenticates without a DB
load / epoch check (poster/art fetches only); adding one would cost a DB hit per image.
2026-07-12 03:07:13 +02:00
..
public fix(share): let link-preview crawlers fetch /watch/ pages (robots.txt) 2026-07-07 22:56:38 +02:00
src fix(auth): address SA4 review findings (WS epoch check, commit ordering, verify guard) 2026-07-12 03:07:13 +02:00
index.html feat(share): rich link previews (Open Graph) for /watch pages 2026-07-07 20:19:30 +02:00
package-lock.json feat(plex): P2 player — rich full-page HLS/direct player + watch-state 2026-07-05 04:28:00 +02:00
package.json feat(plex): P2 player — rich full-page HLS/direct player + watch-state 2026-07-05 04:28:00 +02:00
postcss.config.js feat: M4 (part 2) — React reader UI with theming 2026-06-11 02:19:47 +02:00
tailwind.config.js feat: M4 (part 2) — React reader UI with theming 2026-06-11 02:19:47 +02:00
tsconfig.json chore(hygiene): Phase 4 guardrails — noUnusedLocals/Parameters + dead-code sweep 2026-07-12 02:15:52 +02:00
vite.config.ts fix(dev): vite proxy to 127.0.0.1 + throttle error notifications 2026-06-11 22:00:57 +02:00