Skip to content

📝 Add comments #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ebigunso merged 24 commits into from
Aug 11, 2025
Merged

📝 Add comments #7

ebigunso merged 24 commits into from
Aug 11, 2025

Conversation

@ebigunso
Copy link
Owner

@ebigunso ebigunso commented Aug 11, 2025

No description provided.

@ebigunso ebigunso self-assigned this Aug 11, 2025
Copilot AI review requested due to automatic review settings August 11, 2025 22:07
Copilot AI reviewed Aug 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds authentication, CSRF protection, and comprehensive security features to the sleep API. The changes include login/logout functionality, encrypted session cookies, double-submit CSRF protection, security headers, and authentication middleware.

Key changes:

  • Implements single-user authentication with session cookies and CSRF protection
  • Adds security middleware and headers for production deployment
  • Updates all existing endpoints to require authentication and CSRF protection for mutating operations

Reviewed Changes

Copilot reviewed 18 out of 20 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
sleep-api/src/auth.rs Core authentication utilities for session management and credential verification
sleep-api/src/security/ CSRF protection and security headers implementation
sleep-api/src/middleware/ Authentication extractors for protecting routes
sleep-api/src/app.rs Updated router with login/logout endpoints and auth requirements
sleep-api/tests/ Test files updated with authentication and CSRF handling
sleep-api/src/config.rs Configuration helpers for admin credentials and cookie settings
Cargo.toml Added dependencies for authentication and testing
openapi.yaml Updated API specification with authentication requirements
README.md Comprehensive documentation for authentication and security features
.env.example Environment configuration template

ebigunso added 24 commits August 12, 2025 07:09
@ebigunso
PR-A: deps, .env.example, and pw-hash helper; add config for admin an…
39431cb 
…d session key
@ebigunso
PR-A: add auth, CSRF, and security header modules (scaffold)
6eec5bb
@ebigunso
PR-A: wire AppState + session auth, CSRF, and security headers; add /…
f3d4f87 
…login and /logout; protect /trends and mutating APIs; add tests (auth_csrf) and update existing tests; switch CSRF token to URL-safe base64; clippy clean
@ebigunso
🎨 Format
296031e
@ebigunso
docs: add module and item docs for auth, CSRF, headers, middleware, A…
6fd8dd3 
…ppState, config, and pw-hash; align with existing project style
@ebigunso
fix(doctest): make axum Router state explicit in doctest examples to …
a29876e 
…satisfy type inference; all tests pass
@ebigunso
chore: replace eprintln! with tracing::debug in CSRF guard; fix clipp…
a8651e6 
…y warnings in tests (format args, remove needless borrows); keep unsafe env var blocks per project guidance. Refs #5
@ebigunso
🎨 Format
e0dc988
@ebigunso
chore(csrf): use percent-encoding crate for header token decoding; sw…
9b6e8f6 
…itch RNG sources to password-hash rand_core OsRng to resolve rand_core version mismatch; run cargo fmt and clippy; address PR feedback. Refs #5
@ebigunso
⬆️ Update lock file
8aa3a98
@ebigunso
🎨 Format
d8b8a63
@ebigunso
chore(csrf): move X_CSRF_TOKEN to module scope; remove unused rand de…
6ff1541 
…pendency; run fmt/clippy. Refs #5
@ebigunso
Lock file update
0fa8625
@ebigunso
🚨 Fix linter error
ee989bd
@ebigunso
fix(login): accept HTML form and JSON payloads for /login
d71f569
@ebigunso
docs(csrf): remove unused CSRF_SECRET; clarify double-submit design
c9d5458
@ebigunso
feat(cookie): support dev-mode cookie names/flags via COOKIE_SECURE; …
f4746d3 
…use config-based names for session/CSRF cookies; switch to axum_extra::either::Either for /login form+JSON
@ebigunso
docs(openapi): add /login and /logout; document cookie-based auth and…
b7949d9 
… CSRF; update README for COOKIE_SECURE and double-submit
@ebigunso
feat(auth): split /login handlers (form + JSON) and update tests; fea…
d6c5115 
…t(session): add SESSION_TTL_HOURS Max-Age; feat(security): COOKIE_SECURE dev-mode cookie names/flags; refactor(csrf): dynamic cookie names and header handling; docs(openapi,README): add /login.json, securitySchemes and CSRF requirements; chore(CSP): add connect-src 'self'
@ebigunso
auth: /login accepts form or JSON; form redirects 303. security: CSRF…
3c7c4ab 
…-protect /logout; gate GET /sleep/date and trends APIs by session. headers: CSP allow cdn.jsdelivr.net for Chart.js.
@ebigunso
spec: /login 303 form redirect; deprecate /login.json; add 401/403 to…
5777b16 
… protected endpoints; gate GET endpoints in spec. tests: CSRF required on logout; add percent-encoded CSRF header test and dev cookie flags test.
@ebigunso
tests: isolate env with serial_test; enforce COOKIE_SECURE=1 in CSRF …
7ace6af 
…tests; add percent-encoded token and dev cookie flags coverage. build: add serial_test dev-dep.
@ebigunso
🩹 Small fixes
cdd1cee
@ebigunso
docs(app): add rustdoc for handlers and pages (auth, CRUD, trends) in…
26e9865 
… app.rs
@ebigunso ebigunso force-pushed the feature/2025-08-11/security-update branch from 055d64c to 26e9865 Compare August 11, 2025 22:10
@ebigunso ebigunso merged commit f6efa52 into main Aug 11, 2025
2 checks passed
@ebigunso ebigunso deleted the feature/2025-08-11/security-update branch August 11, 2025 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@ebigunso ebigunso

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebigunso