openclaw/oikos - oikos - Gitea: Git with a cup of tea

openclaw/oikos

Author	SHA1	Message	Date
Ulas	ee609376a3	fix: resolve recurring iOS PWA forbidden errors via CSRF response header iOS Safari in PWA standalone mode unreliably handles cookies, causing CSRF token desync between client and server after app resume. Previous fixes (response body token in /auth/me and /auth/login) still left a window where the token could go stale. Now the server sends X-CSRF-Token response header on every API response (via csrfMiddleware), including 403 error responses. The client reads this header from every response, enabling instant self-healing: a 403 extracts the correct token from the error response itself and retries without needing an extra /auth/me round-trip. SW cache bumped to v33 to ensure existing iOS PWA installs pick up the new client code.	2026-04-15 18:15:40 +02:00
Ulas	44d1b88e3d	fix: resolve iOS forbidden errors by delivering CSRF token in response body iOS Safari (especially PWA/standalone mode) unreliably exposes cookies via document.cookie, causing CSRF token mismatch on state-changing requests. The CSRF token is now included in /auth/login and /auth/me response bodies and stored in-memory on the client. Cookie remains as fallback. Retry mechanism also improved to read token from response body and handle expired sessions.	2026-04-14 18:53:42 +02:00
Ulas	8d99c3d2d6	fix: resolve iOS PWA session/CSRF issues causing forbidden errors - Renew CSRF cookie on /auth/me (first call after iOS PWA resume) - Add try-catch + hex validation to CSRF middleware for corrupted tokens - Auto-retry state-changing requests on 403 by refreshing CSRF token - Add 200ms delay before SW controllerchange reload to prevent blank page on iOS	2026-04-14 17:37:22 +02:00
Ulas	31b9760bc3	fix: SW-Cache-Version bumpen + fetch cache:no-store für API-Aufrufe Dashboard-Widgets aktualisierten nicht, weil der Service Worker die alte router.js aus dem Cache servierte (stale-while-revalidate). Cache-Version v15→v16 erzwingt Invalidierung aller gecachten Dateien. Zusätzlich fetch cache:no-store auf allen API-Aufrufen als Absicherung. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 23:24:11 +01:00
ulsklyc	dd8ad80eb4	feat: Phase 5 — Härtung (CSRF, Rate-Limit, Validation, Error Boundary, README) Schritt 28 — CSRF-Schutz (Double Submit Cookie Pattern): - server/middleware/csrf.js: generiert 32-Byte-Token, speichert in Session + Cookie; validiert X-CSRF-Token-Header auf POST/PUT/PATCH/DELETE via timingSafeEqual - server/auth.js: CSRF-Token beim Login erzeugen und als Cookie setzen - public/api.js: getCsrfToken() liest Cookie; apiFetch() sendet Header auf state-ändernden Requests automatisch Schritt 29 — Globaler Rate-Limiter: - server/index.js: apiLimiter (300 req/min/IP) auf allen /api/-Routen; ergänzt den bestehenden loginLimiter (5 req/min) Schritt 27 — Zentralisierte Eingabe-Validierung: - server/middleware/validate.js: str(), oneOf(), date(), time(), num(), color(), collectErrors() mit einheitlichen Längengrenzen (MAX_TITLE=200, MAX_TEXT=5000) - server/routes/tasks.js: validateTaskInput() nutzt nun validate.js Schritt 31 — Frontend Error Boundary: - public/router.js: window.onerror + unhandledrejection-Handler zeigen Toast Schritt 33 — README.md: - Setup-Anleitung (Docker + Node.js), Nginx-Config, User-Verwaltung, Umgebungsvariablen-Referenz, Backup, Sicherheitsübersicht Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-24 22:00:47 +01:00
ulsklyc	d49cbe33b3	feat: Phase 1 — Projektstruktur, DB-Schema, Auth-System - Vollständige Verzeichnisstruktur gemäß CLAUDE.md - Express-Server mit Helmet, Sessions, Rate Limiting, SPA-Fallback - SQLite-Schema (Migration v1): 10 Tabellen, updated_at-Triggers, Indizes - Versioniertes Migrations-System (schema_migrations) - Auth-Routen: Login, Logout, /me, Admin-User-CRUD - Frontend App-Shell: SPA-Router, API-Client, Design-System (CSS Tokens) - PWA: Service Worker, Web App Manifest - Setup-Script für ersten Admin-User (node setup.js) - DB-Tests mit node:sqlite built-in: 29/29 bestanden - Docker Compose + Dockerfile + Nginx-Beispielkonfiguration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-24 14:32:36 +01:00