curo/Business-Management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2c55556ac21476ecea0702b9d05147acdabc526
Business-Management/TODO.md
T
curo1305 e2c55556ac Switch JWT signing from HS256 to RS256 (4096-bit RSA) 
- Replace symmetric SECRET_KEY with JWT_PRIVATE_KEY / JWT_PUBLIC_KEY (PEM)
- Add iat claim to every token
- Add expand_newlines validator in config for single-line .env PEM values
- Add scripts/generate_jwt_keys.py key-generation helper
- Update security-auditor agent JWT checklist with RS256 enforcement rules
- Mark RS256 as done in TODO.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-13 23:00:35 +02:00

2.8 KiB
Raw Blame History

TODO

UX/UI — Penpot setup

  • Spin up Penpot LXC — separate LXC container on the server (~24 GB RAM), Docker Compose from https://github.com/penpot/penpot; expose via subdomain behind nginx proxy manager
  • Create Penpot project — register on the self-hosted instance, create project destroying_sap, create initial design file
  • Generate Penpot access token — Profile → Access tokens; used by the ux-designer agent via WebFetch REST API calls
  • Decide on UI component library — shadcn/ui (recommended: Tailwind-based, unstyled accessible primitives, white-label friendly) vs MUI vs other; decision affects both Penpot design system and frontend implementation
  • Connect ux-designer agent — confirm Penpot API reachable, provide instance URL + token to agent at session start

Auth / session security

  • 8-hour JWT expiryACCESS_TOKEN_EXPIRE_MINUTES = 60 * 8; no permanent login
  • RS256 JWT signing — 4096-bit RSA asymmetric keys; iat claim included; generate keys with scripts/generate_jwt_keys.py
  • No refresh tokens — refresh token flow not implemented; if added later, must use httpOnly cookies and rotation
  • httpOnly cookie migration — currently storing JWT in localStorage (XSS-exposed); migrate to httpOnly cookie when hardening for production

App permissions

  • Permissions registry — admin-managed table that controls which apps each user can access. Schema: user_app_permissions (user_id FK, app_key). Admin UI lets the admin grant/revoke per-app access per user. The Apps page only shows apps the current user has been granted access to.

Frontend features

  • Logout button — visible when logged in, clears token and redirects to /login
  • Profile page (/profile) — shows personal information for the logged-in user
  • Edit & save profile — form to update personal details, stored in a dedicated profiles table (separate from users, same PostgreSQL container)

Infrastructure

  • Docker port hardening — expose only port 80 externally; backend (8000) and db (5432) must not be reachable from outside the Docker network. Prepare for deployment behind Traefik or nginx proxy manager (SSL termination, reverse proxy, no direct container exposure).

Infrastructure (existing)

  • Rootless containers — run backend and frontend containers as non-root users (add USER directive to Dockerfiles, map UID/GID appropriately)
  • Persistent storage — ensure database data, config files, and any uploaded assets survive container restarts and rebuilds (named volumes, bind mounts for config)
  • Docker development workflow — document and streamline the full dev loop: hot reload, one-command startup, migration handling, seed data, and how to attach a debugger
Reference in New Issue View Git Blame Copy Permalink