siftlode/frontend
npeter83 a65915ea11 fix(auth): SB3 — keep reset/verify tokens out of URL query strings
Secret email tokens now ride the URL fragment (#reset=/#verify=), never the query
(?reset=/?token=): a fragment isn't sent to the server, so the token can't leak into
proxy/access logs or a Referer header.
- Reset: link → /#reset=; the SPA reads the token from location.hash and POSTs it
  (unchanged /password-reset/confirm).
- Verify: link → /#verify=; new POST /auth/verify (token in body). The legacy GET
  /auth/verify?token= is kept so pre-deploy emails in flight still work until they
  expire. The SPA reads the fragment token, POSTs it, shows ok/invalid.
- Welcome: read secret tokens from the fragment, status flags from the query; strip
  both after capture so nothing lingers in history.
2026-07-12 02:48:40 +02:00
..
public fix(share): let link-preview crawlers fetch /watch/ pages (robots.txt) 2026-07-07 22:56:38 +02:00
src fix(auth): SB3 — keep reset/verify tokens out of URL query strings 2026-07-12 02:48:40 +02:00
index.html feat(share): rich link previews (Open Graph) for /watch pages 2026-07-07 20:19:30 +02:00
package-lock.json feat(plex): P2 player — rich full-page HLS/direct player + watch-state 2026-07-05 04:28:00 +02:00
package.json feat(plex): P2 player — rich full-page HLS/direct player + watch-state 2026-07-05 04:28:00 +02:00
postcss.config.js feat: M4 (part 2) — React reader UI with theming 2026-06-11 02:19:47 +02:00
tailwind.config.js feat: M4 (part 2) — React reader UI with theming 2026-06-11 02:19:47 +02:00
tsconfig.json chore(hygiene): Phase 4 guardrails — noUnusedLocals/Parameters + dead-code sweep 2026-07-12 02:15:52 +02:00
vite.config.ts fix(dev): vite proxy to 127.0.0.1 + throttle error notifications 2026-06-11 22:00:57 +02:00