Fix/dashboard auth 1038 + Fix: enforce server-side auth for protected pages & add secure auth + upload flows #1042
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… + make sure its save and best practice
Contributor
|
Skipped: This PR changes more files than the configured file change limit: ( |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thanks for submitting your first pull request to the Open Source Society project — we really appreciate your contribution! Our maintainers will review your PR soon. In the meantime, make sure you've followed the contribution checklist and linked any relevant issues. Welcome aboard, and keep contributing! 💚
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes the security issue where users could access protected pages and functionality without logging in. It implements server-side protections and completes the login/signup/profile/upload flows so pages and APIs require a valid session.
What I changed
Enforced server-side authentication:
Protected pages (dashboard, upload, notes, todolist, profile, edit-profile, etc.) now redirect to the login page when the user is not authenticated.
Implemented server-side auth endpoints:
/api/register, /api/login, /api/logout, /api/user (GET/PUT), /api/change-password
Sessions use Flask server-side session handling.
Made frontend use the API:
login/signup/profile/upload now POST to the backend and use session cookies.
Served the frontend from Flask:
Backend now serves static frontend files so frontend and backend share the same origin (cookies work reliably).
Added secure upload endpoint:
/api/upload saves files in a per-user upload folder, validates size and extensions.
Navbar & UX improvements:
Navbar shows logged-in user name, profile dropdown (View/Edit/Change password/Logout).
Centralized client auth helper (scripts/auth.js) and consistent client behavior.
Hardening & usability:
Server now stores salted password hashes; legacy client-hashes are upgraded on login.
MAX_CONTENT_LENGTH and allowed upload types set.
Repo housekeeping:
.gitignore updated for backend/.venv, uploads, archive
Comments were removed project-wide and a backup of originals was saved to archive/comments-backup/
Created branch feat/server-auth-upload