seth.computer
commits
Co-authored-by: Shelley <shelley@exe.dev>
- Add file-based logger (data/app.log) with JSON metadata support
- Add database cleanup script (hourly via cron)
- Removes OAuth states older than 1 hour
- Removes sessions older than 30 days
- Vacuums SQLite database
- Configure logrotate for app.log and cleanup.log
- Daily rotation, 14 days retention
- Compression enabled
Co-authored-by: Shelley <shelley@exe.dev>
Security fixes based on adversarial audit:
1. CSRF Protection (CRITICAL)
- Added CSRF middleware with double-submit cookie pattern
- All POST forms now include hidden _csrf field
- Tokens validated on all state-changing requests
2. Private Key Permissions (HIGH)
- Private key now written with mode 0600 (owner read/write only)
- Prevents other system users from reading the key
3. Input Validation (MEDIUM)
- Added TID format validation for rkey parameters
- Prevents potential path traversal or injection via malformed IDs
4. Added validation library for future use
- TID validation
- HTTPS URL validation
- String sanitization helper
Co-authored-by: Shelley <shelley@exe.dev>
The client-metadata.json and jwks.json endpoints must be publicly
accessible by Bluesky's OAuth server. Added:
- Access-Control-Allow-Origin: * header
- Cache-Control header for reasonable caching
Note: The exe.dev proxy must be set to public for OAuth to work:
ssh exe.dev share set-public stdeditor
Co-authored-by: Shelley <shelley@exe.dev>
- Use SQLite for session and state persistence (survives restarts)
- Use ES256 private key for confidential client authentication
- Expose /client-metadata.json and /jwks.json at root level
- Configure for standard HTTPS URL (no custom ports - required by Bluesky)
- Add proper error handling and error messages on login page
- Update documentation with deployment instructions
Co-authored-by: Shelley <shelley@exe.dev>
Features:
- ATProto OAuth authentication with Bluesky
- Publication management (create, edit)
- Document management (create, edit, publish, unpublish, delete)
- Draft/published filtering
- Responsive UI with dark mode support
Tech stack:
- Bun runtime
- Hono web framework
- @atproto/oauth-client-node for OAuth
- @atproto/api for PDS interaction
- Server-side rendered HTML templates
Co-authored-by: Shelley <shelley@exe.dev>
- Add file-based logger (data/app.log) with JSON metadata support
- Add database cleanup script (hourly via cron)
- Removes OAuth states older than 1 hour
- Removes sessions older than 30 days
- Vacuums SQLite database
- Configure logrotate for app.log and cleanup.log
- Daily rotation, 14 days retention
- Compression enabled
Co-authored-by: Shelley <shelley@exe.dev>
Security fixes based on adversarial audit:
1. CSRF Protection (CRITICAL)
- Added CSRF middleware with double-submit cookie pattern
- All POST forms now include hidden _csrf field
- Tokens validated on all state-changing requests
2. Private Key Permissions (HIGH)
- Private key now written with mode 0600 (owner read/write only)
- Prevents other system users from reading the key
3. Input Validation (MEDIUM)
- Added TID format validation for rkey parameters
- Prevents potential path traversal or injection via malformed IDs
4. Added validation library for future use
- TID validation
- HTTPS URL validation
- String sanitization helper
Co-authored-by: Shelley <shelley@exe.dev>
The client-metadata.json and jwks.json endpoints must be publicly
accessible by Bluesky's OAuth server. Added:
- Access-Control-Allow-Origin: * header
- Cache-Control header for reasonable caching
Note: The exe.dev proxy must be set to public for OAuth to work:
ssh exe.dev share set-public stdeditor
Co-authored-by: Shelley <shelley@exe.dev>
- Use SQLite for session and state persistence (survives restarts)
- Use ES256 private key for confidential client authentication
- Expose /client-metadata.json and /jwks.json at root level
- Configure for standard HTTPS URL (no custom ports - required by Bluesky)
- Add proper error handling and error messages on login page
- Update documentation with deployment instructions
Co-authored-by: Shelley <shelley@exe.dev>
Features:
- ATProto OAuth authentication with Bluesky
- Publication management (create, edit)
- Document management (create, edit, publish, unpublish, delete)
- Draft/published filtering
- Responsive UI with dark mode support
Tech stack:
- Bun runtime
- Hono web framework
- @atproto/oauth-client-node for OAuth
- @atproto/api for PDS interaction
- Server-side rendered HTML templates
Co-authored-by: Shelley <shelley@exe.dev>