backend: complete P0 session rotation hardening
This commit is contained in:
Space-Banane
4
TODO.md
4
TODO.md
@@ -4,10 +4,10 @@ Concrete follow-up work for Jellomator, prioritized by implementation risk and u
|
||||
|
||||
## P0 - Security and Reliability
|
||||
|
||||
- [ ] Add session expiry and rotation.
|
||||
- [x] Add session expiry and rotation.
|
||||
- [x] Add `expires_at` and `last_seen_at` to `sessions`.
|
||||
- [x] Reject expired tokens in `current_user`.
|
||||
- [ ] Rotate session token on login and periodically on use.
|
||||
- [x] Rotate session token on login and periodically on use.
|
||||
- [x] Harden auth endpoints.
|
||||
- [x] Add login rate limiting by IP + username pair.
|
||||
- [x] Add brute-force lockout window with clear error message.
|
||||
|
||||
Reference in New Issue
Block a user