fix: alpha release hardening — onboarding, security, and ISO build
- Convert "Choose Your Path" screen to informative (read-only cards) - Harden "Choose Your Setup" (gray out Coming Soon options, auto-select Fresh Start) - Auto-fetch DID on mount with retry and auto-advance after success - Improve backup download for mobile compatibility - Add retry logic to verify step with graceful skip option - Route verify → done → login for complete onboarding flow - Add AIUI install confirmation via custom event (SEC-001) - Add file path whitelist for AIUI file access (SEC-002) - Add log redaction for container logs sent to AIUI (SEC-003) - Add Secure flag to session cookie in production (SEC-004) - Fix ISO build script to handle zstd compression errors gracefully - Sync archipelago.service from live server Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -88,6 +88,10 @@ impl RpcHandler {
|
||||
})
|
||||
}
|
||||
|
||||
fn cookie_suffix(&self) -> &'static str {
|
||||
if self.config.dev_mode { "" } else { "; Secure" }
|
||||
}
|
||||
|
||||
pub async fn handle(
|
||||
&self,
|
||||
req: Request<hyper::Body>,
|
||||
@@ -276,7 +280,7 @@ impl RpcHandler {
|
||||
let token = self.session_store.create_pending(secret).await;
|
||||
response.headers_mut().insert(
|
||||
"Set-Cookie",
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/{}", token, self.cookie_suffix())
|
||||
.parse()
|
||||
.unwrap(),
|
||||
);
|
||||
@@ -295,7 +299,7 @@ impl RpcHandler {
|
||||
let token = self.session_store.create().await;
|
||||
response.headers_mut().insert(
|
||||
"Set-Cookie",
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/{}", token, self.cookie_suffix())
|
||||
.parse()
|
||||
.unwrap(),
|
||||
);
|
||||
@@ -310,11 +314,14 @@ impl RpcHandler {
|
||||
if let Some(token) = &session_token {
|
||||
self.session_store.remove(token).await;
|
||||
}
|
||||
let logout_cookie = if self.config.dev_mode {
|
||||
"session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0".to_string()
|
||||
} else {
|
||||
"session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0; Secure".to_string()
|
||||
};
|
||||
response.headers_mut().insert(
|
||||
"Set-Cookie",
|
||||
"session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0"
|
||||
.parse()
|
||||
.unwrap(),
|
||||
logout_cookie.parse().unwrap(),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user