fix(webui,infra): drop private npm registry, httpOnly tokens, Helm secrets, proxy hardening (FC/FH/FM)#59
Conversation
…crets, harden proxy (FC/FH/FM) Frontend + infra hardening: - FC1: delete services/webui/.npmrc (private GitHub Packages registry + NODE_AUTH_TOKEN). - FM2: remove NODE_AUTH_TOKEN build-arg from CI; add a webui lint/typecheck/build gate before the image is built/pushed. - FC3: untrack all committed node_modules/ (root, web, services/webui, shared, tests) and gitignore node_modules/, *.tgz, .npmrc. - FH1: stop storing JWTs in localStorage/zustand-persist; rely on backend httpOnly Secure SameSite cookies (axios withCredentials); persist only non-sensitive user info. - FH3: add helmet + CSP + trust-proxy and proxyTimeout on both proxies (Express). - FM1: fix Go-proxy route/baseURL mismatch so /api/go/* actually reaches the Go backend. - FH2: Helm charts support existingSecret; values-prod uses an external secret (no more changeme-in-production shipped to prod); secret.yaml renders inline only for dev/alpha. - FM3: prod images support @sha256 digest pinning (placeholder + TODO for CI/Renovate). FC2 (partial): react-libs kept as vendored file: tarball because @penguintechinc/react-libs@1.1.5 is NOT on public npm (404). The private-registry violation is removed; publishing react-libs to public npm is required to fully close FC2 (tracked as TODO in .gitignore + report). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
- Remove unused onToggle prop from Sidebar (never referenced in Layout) - Remove unused imports: externalApi from useApi, setTokens/clearTokens/getAccessToken from useAuth - Fix unused parameter 'get' in useAuth zustand store - Remove unused 'login' from useAuth hook in Login.tsx - Fix setTokens call that doesn't exist (tokens are httpOnly cookies) - Fix user property mapping: full_name → name, role → roles array - Add missing privacyPolicyUrl to GDPRConfig in LoginPageBuilder - Fix role type narrowing in Users.tsx create form - Add "composite": true to tsconfig.server.json for monorepo support All tsc errors now resolved; npm run typecheck passes clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Caution Review the following alerts detected in dependencies. According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.
|
…ixes Merge typecheck fixes from #59 into #64: - Removed unused onToggle prop from Sidebar + Layout - Removed unused imports: externalApi from useApi, setTokens/clearTokens/getAccessToken from useAuth - Fixed unused parameter 'get' in useAuth zustand store - Removed unused 'login' import from Login page - Fixed user property mapping and GDPRConfig in Login - Fixed role type narrowing in Users form Additional #64 fixes: - Remove unused ShortLink import from Analytics - Remove unused barWidth variable from chart renderer - Remove unused RoleGuard import from Links - Remove unused user destructuring from Links All tsc errors now resolved; npm run typecheck passes clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Security fixes (Track A6) — frontend + infra
Targets
release/v0.1.xdirectly (independent of the backend stack — different files).Critical / high
services/webui/.npmrc(private GitHub Packages registry +NODE_AUTH_TOKEN).node_modules/(root, web, services/webui, shared, tests) and gitignorednode_modules/,*.tgz,.npmrc.withCredentials); persist stores only non-sensitive user info.existingSecret;values-prod.yamlreferences an external secret so prod no longer shipschangeme-in-production; inlinesecretDatarenders for dev/alpha only.helmet+ CSP +trust proxy+proxyTimeouton both proxies.Medium
/api/go/*reaches the Go backend.NODE_AUTH_TOKENCI build-arg; added a webui lint/typecheck/build gate before image push.@sha256digest pinning (placeholder + TODO for CI/Renovate).@penguintechinc/react-libs@1.1.5is NOT published on public npm (404). The private-registry violation is fully removed, but the package is kept as a vendoredfile:tarball (which needs no registry/token) as a safe interim so the build still works. To fully close FC2, react-libs 1.1.5 must be published to public npm, thenpackage.jsoncan reference the public version and the tarball can be deleted. Tracked as a TODO in.gitignoreand the commit body.Follow-ups needing network/CI
services/webui/package-lock.jsonregenerated for helmet; will be re-validated by the new CItest-webuijob onnpm ci.values-prod.yamlimage digests aresha256:PIN_MEplaceholders for CI/Renovate to pin.🤖 Generated with Claude Code