admin/changemaker.lite
1
0
Fork 0
Code Issues Packages Projects Releases 31 Wiki Activity
changemaker.lite/changemaker-control-panel
History
bunker-admin b215cda018 Security audit follow-up: httpOnly cookies, ticket reservations, MongoDB keyfile 
Deferred findings from the March 27 security audit, plus a bug fix:

MongoDB keyfile (bug fix):
- Generate replica.key on first boot via entrypoint script
- Fixes crash from --auth + --keyFile without an existing keyfile
- Applied to docker-compose.yml, docker-compose.prod.yml, CCP template

I7 — Ticket overselling prevention (reservation pattern):
- Add reservedCount field to TicketTier schema
- Atomically increment reservedCount inside transaction on checkout
- Release reservation on checkout.session.completed (webhook)
- Release reservation on checkout.session.expired (webhook)
- Include reservedCount in availability calculations

I17 — Move refresh token to httpOnly cookie:
- Server sets httpOnly SameSite=Strict cookie on login/register/refresh
- Cookie scoped to /api/auth path, secure in production
- Refresh/logout endpoints read from cookie (with body fallback for compat)
- Frontend no longer stores refreshToken in localStorage
- Auth store simplified: removed refreshToken from state + persistence
- API interceptor uses withCredentials:true for automatic cookie sending
- Updated media-api, media-public-api, QuickJoinPage, volunteer-invite
- Renamed getTokens → getAccessToken across all media components
- Install cookie-parser middleware

L2 — FeatureGate loading state:
- Show Skeleton instead of children while settings are loading
- Prevents briefly exposing disabled feature pages

Bunker Admin
2026-03-27 09:20:26 -06:00
..
admin
Make embed proxy ports configurable via env vars for multi-instance deployments
2026-03-25 15:25:00 -06:00
api
Add MONGO_ROOT_PASSWORD to docs, config wizard, CCP, and prod compose
2026-03-27 08:57:48 -06:00
templates
Security audit follow-up: httpOnly cookies, ticket reservations, MongoDB keyfile
2026-03-27 09:20:26 -06:00
.env.example
Upgrade system finished
2026-03-22 21:47:09 -06:00
.gitignore
Merge changemaker-control-panel into v2 monorepo
2026-02-21 11:51:45 -07:00
CCP_PLAN.md
Merge changemaker-control-panel into v2 monorepo
2026-02-21 11:51:45 -07:00
docker-compose.yml
Upgrade system finished
2026-03-22 21:47:09 -06:00
Dockerfile.admin
Merge changemaker-control-panel into v2 monorepo
2026-02-21 11:51:45 -07:00
Dockerfile.api
Merge changemaker-control-panel into v2 monorepo
2026-02-21 11:51:45 -07:00
setup.sh
Merge changemaker-control-panel into v2 monorepo
2026-02-21 11:51:45 -07:00