siftlode/frontend
npeter83 95d1549570 feat(auth): SA4 — server-side session revocation via per-user session epoch
Signed client-side session cookies had no server-side kill switch: logout + password
reset couldn't evict a stolen/copied cookie (valid until expiry). Add User.session_epoch
(migration 0053), record it in the cookie at every login, and reject in current_user any
cookie whose recorded epoch is behind the account's current one.
- Bump the epoch on: password reset (kills ALL sessions — a reset is a compromise response),
  password change + a new 'Log out other sessions' action (both re-stamp the CURRENT cookie
  so the caller stays signed in, evicting only the others).
- Per-account epoch map in the session so one account's revocation doesn't evict the other
  signed-in accounts in the same browser wallet.
- Missing epoch (pre-SA4 cookie) is treated as 0, so the first bump revokes grandfathered
  sessions too.
- New POST /auth/logout-others + a Settings → Account 'Active sessions' button (trilingual).
2026-07-12 03:00:16 +02:00
..
public fix(share): let link-preview crawlers fetch /watch/ pages (robots.txt) 2026-07-07 22:56:38 +02:00
src feat(auth): SA4 — server-side session revocation via per-user session epoch 2026-07-12 03:00:16 +02:00
index.html feat(share): rich link previews (Open Graph) for /watch pages 2026-07-07 20:19:30 +02:00
package-lock.json feat(plex): P2 player — rich full-page HLS/direct player + watch-state 2026-07-05 04:28:00 +02:00
package.json feat(plex): P2 player — rich full-page HLS/direct player + watch-state 2026-07-05 04:28:00 +02:00
postcss.config.js feat: M4 (part 2) — React reader UI with theming 2026-06-11 02:19:47 +02:00
tailwind.config.js feat: M4 (part 2) — React reader UI with theming 2026-06-11 02:19:47 +02:00
tsconfig.json chore(hygiene): Phase 4 guardrails — noUnusedLocals/Parameters + dead-code sweep 2026-07-12 02:15:52 +02:00
vite.config.ts fix(dev): vite proxy to 127.0.0.1 + throttle error notifications 2026-06-11 22:00:57 +02:00