fix: alpha release hardening — onboarding, security, and ISO build

- Convert "Choose Your Path" screen to informative (read-only cards)
- Harden "Choose Your Setup" (gray out Coming Soon options, auto-select Fresh Start)
- Auto-fetch DID on mount with retry and auto-advance after success
- Improve backup download for mobile compatibility
- Add retry logic to verify step with graceful skip option
- Route verify → done → login for complete onboarding flow
- Add AIUI install confirmation via custom event (SEC-001)
- Add file path whitelist for AIUI file access (SEC-002)
- Add log redaction for container logs sent to AIUI (SEC-003)
- Add Secure flag to session cookie in production (SEC-004)
- Fix ISO build script to handle zstd compression errors gracefully
- Sync archipelago.service from live server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-06 13:00:28 +00:00
parent e55fd3baf0
commit 589adb8b18
10 changed files with 252 additions and 198 deletions

View File

@@ -88,6 +88,10 @@ impl RpcHandler {
})
}
fn cookie_suffix(&self) -> &'static str {
if self.config.dev_mode { "" } else { "; Secure" }
}
pub async fn handle(
&self,
req: Request<hyper::Body>,
@@ -276,7 +280,7 @@ impl RpcHandler {
let token = self.session_store.create_pending(secret).await;
response.headers_mut().insert(
"Set-Cookie",
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
format!("session={}; HttpOnly; SameSite=Strict; Path=/{}", token, self.cookie_suffix())
.parse()
.unwrap(),
);
@@ -295,7 +299,7 @@ impl RpcHandler {
let token = self.session_store.create().await;
response.headers_mut().insert(
"Set-Cookie",
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
format!("session={}; HttpOnly; SameSite=Strict; Path=/{}", token, self.cookie_suffix())
.parse()
.unwrap(),
);
@@ -310,11 +314,14 @@ impl RpcHandler {
if let Some(token) = &session_token {
self.session_store.remove(token).await;
}
let logout_cookie = if self.config.dev_mode {
"session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0".to_string()
} else {
"session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0; Secure".to_string()
};
response.headers_mut().insert(
"Set-Cookie",
"session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0"
.parse()
.unwrap(),
logout_cookie.parse().unwrap(),
);
}