Commit
SSE auth via short-lived single-use tickets; ship report-only CSP
Commit details
Commit notes
- POST /events/ticket (Bearer-authenticated) mints a 30s single-use ticket in Redis; both SSE endpoints accept ?ticket= and consume it atomically with GETDEL. The legacy ?token= param still works for older clients, but the frontend now prefers tickets, so bearer tokens stop appearing in URLs, access logs, and browser history. - Remove SSE token-prefix console.logs and the per-request proxy console.log. - netlify.toml: add Content-Security-Policy-Report-Only (XSS is the account-takeover vector while tokens live in localStorage) and fix the [dev] block port to 4000. - Integration test covers ticket auth gating, TTL, and single-use consumption.
[private session redacted]
- Files changed
- 7
- Lines added
- +170
- Lines removed
- −44